nnrpd multiple SSL certs

Kim Alm kea at penti.org
Thu Jan 3 08:15:58 UTC 2002


On Sun, 30 Dec 2001, Jeffrey M. Vinocur wrote:
> On Thu, 20 Dec 2001, Kim Alm wrote:

> > > > But it also opens up the need to specify a file name for the SSL cert
> > > > file.
> > > If it's important to you, I don't see any reason we can't make a patch for
> > > this.
> > Yes, I would like to see it, and I suppose that this is not a major hack
> > to the nnrpd code?
>
> No, it's not.  But I wonder about doing this cleanly so we can integrate
> it into CURRENT -- does anyone have thoughts about architecture?

I suggest that there should be a default for this, preferably as it's
right now, otherwise a lot of people would end up with broken nnrpds when
they do an upgrade to the new nnrpd.

>  Another commandline flag?

That's a clean way to do it, but not very efficient, that would restrict
to one cert per nnrpd running. And if someone would like to provide
different CERT to all organizations using their server, it would be
possible but not very efficient.

> do we want to try to integrate this *into* readers.conf
> somehow? (I don't see any good way to, but it makes sense in a twisted
> sort of way)

How would it be to add it in the same way as the auth, that looks for a
authenticatoor in pathbin/auth/passwd. cert would in the same way look for
certs in the ~news/lib/

And the readers.conf file would look something like:

auth "foo" {
	hosts: "*.foo"
	cert:  foo.pem
	...
}

auth "bar" {
	hosts: "*.bar"
	cert:  bar.pem
        ...
}

Kim



More information about the inn-workers mailing list