OpenBSD Journal

SNI support added to libtls, httpd in -current

Contributed by rueda on from the knights-who-say-SNI dept.

Joel Sing (jsing@) has added server-side Server Name Indication (SNI) support to libtls and, based on that, to httpd.

This work involved several commits, including, for libtls:

CVSROOT:	/cvs
Module name:	src
Changes by:	jsing@cvs.openbsd.org	2016/08/22 08:55:59

Modified files:
	lib/libtls     : tls.h tls_config.c tls_conninfo.c tls_init.3 
	                 tls_internal.h 

Log message:
Provide an API that enables server side SNI support - add the ability to
provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and
allow the server to determine what servername the client requested (via
tls_conn_servername()).

ok beck@

and for httpd:

CVSROOT:	/cvs
Module name:	src
Changes by:	jsing@cvs.openbsd.org	2016/08/22 09:02:18

Modified files:
	usr.sbin/httpd : httpd.h parse.y server.c 

Log message:
Enable SNI support in httpd(8).

ok reyk@

These changes broaden the compatibility of (and thus usage scenarios for) libtls and httpd.

(Comments are closed)


  1. By Michael W Lucas (agshekeloh) mwlucas@michaelwlucas.com on http://www.michaelwlucas.com

    Yay! This was the last thing I was waiting on.

    1. By Anonymous Coward (2601:186:4400:2045:614c:1d8:770f:e96e) on

      > Yay! This was the last thing I was waiting on.


      Yay! is right.

      I've been waiting on this for HTTP, and DANE support for SMTP.

      One step at a time. :)

      thanks!



  2. By Anonymous Coward (91.82.167.156) on

    Is this ends the elinks errors? see<a href="http://stackoverflow.com/questions/36381767/ssl-certificates-and-elinks">stackoverflow</a>

    1. By Joel Sing (144.139.233.124) jsing@openbsd.org on

      > Is this ends the elinks errors?

      No - elinks uses libssl/gnutls and lacks SNI support as a client. Adding client-side SNI support via libssl should only be a matter of adding a call to SSL_set_tlsext_host_name() with some appropriate checks (or you could write a libtls backend for it).

  3. By Ilyas Bakirov (92.47.120.67) on

    Thanks, feature is most wanted in httpd ;)

  4. By Alexis (176.6.17.7) on

    Sweet this will be very useful to use Let's Encrypt with httpd.
    Will the changes make it into 6.0?

    1. By Anonymous Coward (84.112.151.67) on

      > Sweet this will be very useful to use Let's Encrypt with httpd.
      > Will the changes make it into 6.0?

      No.

    2. By Joel Sing (144.139.233.124) jsing@openbsd.org on

      > Sweet this will be very useful to use Let's Encrypt with httpd.
      > Will the changes make it into 6.0?

      No, server-side SNI support is in -current and will be in the 6.1 release.

  5. By Anonymous Coward (91.241.33.66) on

    What is status of Lua-based rewrites?

    1. By 22Decembre (2001:470:2099:e2:31c5:18d:fec4:5f7) stephane@22decembre.eu on https://www.22decembre.eu

      > What is status of Lua-based rewrites?

      Aren't they already working ? I would say they are not easy to do, but I have already made some little rewrite that work.

      1. By Anonymous Coward (155.52.208.81) on

        > > What is status of Lua-based rewrites?
        >
        > Aren't they already working ? I would say they are not easy to do, but I have already made some little rewrite that work.
        >

        Rewrites as a redirect work now. Rewrites without redirect still doesn't exist.

        https://github.com/reyk/httpd/issues/27

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]