Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

SNI support for mod_ssl

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


fuankg at apache

Dec 17, 2007, 2:06 PM

Post #1 of 7 (4861 views)
Permalink
SNI support for mod_ssl
Hi all,
another user pointed out that it seems that mod_ssl doesnt support SNI yet:
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

one of the reader comments contains a link to a mod_ssl patch which enables this:
https://sni.velox.ch/misc/httpd-2.2.2-sni.patch

I've tested the patch against trunk and 2.2.x, and it applies to both with some fuzz....

someone against bringing this into trunk?

Guen.


shenson at oss-institute

Dec 17, 2007, 2:50 PM

Post #2 of 7 (4730 views)
Permalink
Re: SNI support for mod_ssl [In reply to]
Guenter Knauf wrote:
> Hi all,
> another user pointed out that it seems that mod_ssl doesnt support SNI yet:
> http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
>
> one of the reader comments contains a link to a mod_ssl patch which enables this:
> https://sni.velox.ch/misc/httpd-2.2.2-sni.patch
>
> I've tested the patch against trunk and 2.2.x, and it applies to both with some fuzz....
>
> someone against bringing this into trunk?
>

A patch is also in bug #34607. Originally no released version of OpenSSL
supported SNI it was an experimental addition to the HEAD which will
become 0.9.9-dev.

I recently backported it as an option to 0.9.8f. By "option" I mean it
is not compiled in by default but will be included if the configuration
option enable-tlsext is included.

The patch included in the bug correctly detects the presence of support
and will make use of it if compiled against an appropriately configured
version of OpenSSL.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson [at] drh-consultancy, PGP key: via homepage.


fuankg at apache

Dec 17, 2007, 3:05 PM

Post #3 of 7 (4727 views)
Permalink
Re: SNI support for mod_ssl [In reply to]
Hi Steve,
> A patch is also in bug #34607. Originally no released version of OpenSSL
> supported SNI it was an experimental addition to the HEAD which will
> become 0.9.9-dev.

> I recently backported it as an option to 0.9.8f. By "option" I mean it
> is not compiled in by default but will be included if the configuration
> option enable-tlsext is included.

> The patch included in the bug correctly detects the presence of support
> and will make use of it if compiled against an appropriately configured
> version of OpenSSL.
thanks very much for pointing to #34607 - I looked at BugZilla, but didnt find it (seems I'm too stupid to enter the right keywords, argh).
So from what I read in the bug everything is now soved, and I can commit it to trunk, or?

any +/- comments?

Guen.


margol at beamartyr

Dec 18, 2007, 12:52 AM

Post #4 of 7 (4728 views)
Permalink
Re: SNI support for mod_ssl [In reply to]
I haven't reviewed the patch, but from a functionality perspective, I'd
love to see SNI in Apache, although IMHO it's something that will need
to be backported to far more browsers before it can be considered useful
outside of a controlled environment...

Issac

Guenter Knauf wrote:
> Hi Steve,
>> A patch is also in bug #34607. Originally no released version of OpenSSL
>> supported SNI it was an experimental addition to the HEAD which will
>> become 0.9.9-dev.
>
>> I recently backported it as an option to 0.9.8f. By "option" I mean it
>> is not compiled in by default but will be included if the configuration
>> option enable-tlsext is included.
>
>> The patch included in the bug correctly detects the presence of support
>> and will make use of it if compiled against an appropriately configured
>> version of OpenSSL.
> thanks very much for pointing to #34607 - I looked at BugZilla, but didnt find it (seems I'm too stupid to enter the right keywords, argh).
> So from what I read in the bug everything is now soved, and I can commit it to trunk, or?
>
> any +/- comments?
>
> Guen.
>
>


fuankg at apache

Dec 18, 2007, 2:26 AM

Post #5 of 7 (4727 views)
Permalink
Re: SNI support for mod_ssl [In reply to]
Hi,
> I haven't reviewed the patch, but from a functionality perspective, I'd
> love to see SNI in Apache, although IMHO it's something that will need
> to be backported to far more browsers before it can be considered useful
> outside of a controlled environment...
from what I've read in other threads it seems that all recent browsers of FireFox 2.x, IE 7.x Opera 9.x are able to work with SNI, and from an administrator's point of view I find it perfectly ok to require usage of latest browsers when using secured sites.
In addition its anyway entirely the administrator's choice to configure it, or not.
Current mod_ssl code even already allows to configure it that way, but a warning is logged when such a configuration is found. Therefore I think we should get the patch in to allow SNI when someone needs it.

Guenter.


margol at beamartyr

Dec 18, 2007, 2:34 AM

Post #6 of 7 (4719 views)
Permalink
Re: SNI support for mod_ssl [In reply to]
+1 (for what it's worth from a non-committer :))

Guenter Knauf wrote:
> Hi,
>> I haven't reviewed the patch, but from a functionality perspective, I'd
>> love to see SNI in Apache, although IMHO it's something that will need
>> to be backported to far more browsers before it can be considered useful
>> outside of a controlled environment...
> from what I've read in other threads it seems that all recent browsers of FireFox 2.x, IE 7.x Opera 9.x are able to work with SNI, and from an administrator's point of view I find it perfectly ok to require usage of latest browsers when using secured sites.
> In addition its anyway entirely the administrator's choice to configure it, or not.
> Current mod_ssl code even already allows to configure it that way, but a warning is logged when such a configuration is found. Therefore I think we should get the patch in to allow SNI when someone needs it.
>
> Guenter.
>
>


shenson at oss-institute

Dec 21, 2007, 2:57 AM

Post #7 of 7 (4707 views)
Permalink
Re: SNI support for mod_ssl [In reply to]
Guenter Knauf wrote:
> Hi Steve,
>> A patch is also in bug #34607. Originally no released version of OpenSSL
>> supported SNI it was an experimental addition to the HEAD which will
>> become 0.9.9-dev.
>
>> I recently backported it as an option to 0.9.8f. By "option" I mean it
>> is not compiled in by default but will be included if the configuration
>> option enable-tlsext is included.
>
>> The patch included in the bug correctly detects the presence of support
>> and will make use of it if compiled against an appropriately configured
>> version of OpenSSL.
> thanks very much for pointing to #34607 - I looked at BugZilla, but didnt find it (seems I'm too stupid to enter the right keywords, argh).
> So from what I read in the bug everything is now soved, and I can commit it to trunk, or?
>

From my brief look at the patch it seems fine to me.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson [at] drh-consultancy, PGP key: via homepage.

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.