nnrpd multiple SSL certs

Jeffrey M. Vinocur jeff at litech.org
Fri Jan 4 08:05:49 UTC 2002


On Thu, 3 Jan 2002, Kim Alm wrote:

>
> On Sun, 30 Dec 2001, Jeffrey M. Vinocur wrote:
>
> >>>>But it also opens up the need to specify a file name for the SSL cert
> >>>>file.
> >
> > No, it's not.  But I wonder about doing this cleanly so we can integrate
> > it into CURRENT -- does anyone have thoughts about architecture?
>
> I suggest that there should be a default for this, preferably as it's
> right now, otherwise a lot of people would end up with broken nnrpds when
> they do an upgrade to the new nnrpd.

Oh, of course.


> >  Another commandline flag?
>
> That's a clean way to do it, but not very efficient, that would restrict
> to one cert per nnrpd running. And if someone would like to provide
> different CERT to all organizations using their server, it would be
> possible but not very efficient.

Ah, but see below.


> > do we want to try to integrate this *into* readers.conf
> > somehow? (I don't see any good way to, but it makes sense in a twisted
> > sort of way)
>
> [...]
>
> auth "foo" {
> 	hosts: "*.foo"
> 	cert:  foo.pem
> 	...
> }
> auth "bar" {
> 	hosts: "*.bar"
> 	cert:  bar.pem
>         ...
> }

Right, this would be nice.  But it won't work.  (Correct me if I'm wrong.)

At any point, it is possible that multiple auth groups are applicable to a
given connection.  (We try them in succession.)  But once we negotiate the
SSL connection, we've already sent the certificate (i.e., before we start
sending data)...but which one?



-- 
Jeffrey M. Vinocur
jeff at litech.org



More information about the inn-workers mailing list