nnrpd multiple SSL certs
Jeffrey M. Vinocur
jeff at litech.org
Fri Jan 4 08:05:49 UTC 2002
On Thu, 3 Jan 2002, Kim Alm wrote:
>
> On Sun, 30 Dec 2001, Jeffrey M. Vinocur wrote:
>
> >>>>But it also opens up the need to specify a file name for the SSL cert
> >>>>file.
> >
> > No, it's not. But I wonder about doing this cleanly so we can integrate
> > it into CURRENT -- does anyone have thoughts about architecture?
>
> I suggest that there should be a default for this, preferably as it's
> right now, otherwise a lot of people would end up with broken nnrpds when
> they do an upgrade to the new nnrpd.
Oh, of course.
> > Another commandline flag?
>
> That's a clean way to do it, but not very efficient, that would restrict
> to one cert per nnrpd running. And if someone would like to provide
> different CERT to all organizations using their server, it would be
> possible but not very efficient.
Ah, but see below.
> > do we want to try to integrate this *into* readers.conf
> > somehow? (I don't see any good way to, but it makes sense in a twisted
> > sort of way)
>
> [...]
>
> auth "foo" {
> hosts: "*.foo"
> cert: foo.pem
> ...
> }
> auth "bar" {
> hosts: "*.bar"
> cert: bar.pem
> ...
> }
Right, this would be nice. But it won't work. (Correct me if I'm wrong.)
At any point, it is possible that multiple auth groups are applicable to a
given connection. (We try them in succession.) But once we negotiate the
SSL connection, we've already sent the certificate (i.e., before we start
sending data)...but which one?
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the inn-workers
mailing list