nnrpd multiple SSL certs

Jeffrey M. Vinocur jeff at litech.org
Fri Jan 4 08:05:49 UTC 2002

On Thu, 3 Jan 2002, Kim Alm wrote:

> On Sun, 30 Dec 2001, Jeffrey M. Vinocur wrote:
> >>>>But it also opens up the need to specify a file name for the SSL cert
> >>>>file.
> >
> > No, it's not.  But I wonder about doing this cleanly so we can integrate
> > it into CURRENT -- does anyone have thoughts about architecture?
> I suggest that there should be a default for this, preferably as it's
> right now, otherwise a lot of people would end up with broken nnrpds when
> they do an upgrade to the new nnrpd.

Oh, of course.

> >  Another commandline flag?
> That's a clean way to do it, but not very efficient, that would restrict
> to one cert per nnrpd running. And if someone would like to provide
> different CERT to all organizations using their server, it would be
> possible but not very efficient.

Ah, but see below.

> > do we want to try to integrate this *into* readers.conf
> > somehow? (I don't see any good way to, but it makes sense in a twisted
> > sort of way)
> [...]
> auth "foo" {
> 	hosts: "*.foo"
> 	cert:  foo.pem
> 	...
> }
> auth "bar" {
> 	hosts: "*.bar"
> 	cert:  bar.pem
>         ...
> }

Right, this would be nice.  But it won't work.  (Correct me if I'm wrong.)

At any point, it is possible that multiple auth groups are applicable to a
given connection.  (We try them in succession.)  But once we negotiate the
SSL connection, we've already sent the certificate (i.e., before we start
sending data)...but which one?

Jeffrey M. Vinocur
jeff at litech.org

More information about the inn-workers mailing list