Contributed by rueda on from the knights-who-say-SNI dept.
Joel Sing (jsing@
) has added server-side
Server Name Indication (SNI) support to libtls
and, based on that, to httpd
.
This work involved several commits, including, for libtls
:
CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2016/08/22 08:55:59 Modified files: lib/libtls : tls.h tls_config.c tls_conninfo.c tls_init.3 tls_internal.h Log message: Provide an API that enables server side SNI support - add the ability to provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and allow the server to determine what servername the client requested (via tls_conn_servername()). ok beck@
and for httpd
:
CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2016/08/22 09:02:18 Modified files: usr.sbin/httpd : httpd.h parse.y server.c Log message: Enable SNI support in httpd(8). ok reyk@
These changes broaden the compatibility of (and thus usage scenarios for) libtls
and httpd
.
(Comments are closed)
By Michael W Lucas (agshekeloh) mwlucas@michaelwlucas.com on http://www.michaelwlucas.com
Comments
By Anonymous Coward (2601:186:4400:2045:614c:1d8:770f:e96e) on
Yay! is right.
I've been waiting on this for HTTP, and DANE support for SMTP.
One step at a time. :)
thanks!
By Anonymous Coward (91.82.167.156) on
Comments
By Joel Sing (144.139.233.124) jsing@openbsd.org on
No - elinks uses libssl/gnutls and lacks SNI support as a client. Adding client-side SNI support via libssl should only be a matter of adding a call to SSL_set_tlsext_host_name() with some appropriate checks (or you could write a libtls backend for it).
By Ilyas Bakirov (92.47.120.67) on
By Alexis (176.6.17.7) on
Will the changes make it into 6.0?
Comments
By Anonymous Coward (84.112.151.67) on
> Will the changes make it into 6.0?
No.
By Joel Sing (144.139.233.124) jsing@openbsd.org on
> Will the changes make it into 6.0?
No, server-side SNI support is in -current and will be in the 6.1 release.
By Anonymous Coward (91.241.33.66) on
Comments
By 22Decembre (2001:470:2099:e2:31c5:18d:fec4:5f7) stephane@22decembre.eu on https://www.22decembre.eu
Aren't they already working ? I would say they are not easy to do, but I have already made some little rewrite that work.
Comments
By Anonymous Coward (155.52.208.81) on
>
> Aren't they already working ? I would say they are not easy to do, but I have already made some little rewrite that work.
>
Rewrites as a redirect work now. Rewrites without redirect still doesn't exist.
https://github.com/reyk/httpd/issues/27