nnrpd multiple SSL certs

Kim Alm kea at penti.org
Fri Jan 4 10:47:26 UTC 2002


On Fri, 4 Jan 2002, Jeffrey M. Vinocur wrote:
> On Thu, 3 Jan 2002, Kim Alm wrote:

> > >>>>But it also opens up the need to specify a file name for the SSL cert

> > > No, it's not.  But I wonder about doing this cleanly so we can integrate
> > > it into CURRENT -- does anyone have thoughts about architecture?
>
> > >  Another commandline flag?
> >
> > That's a clean way to do it, but not very efficient, that would restrict
> > to one cert per nnrpd running. And if someone would like to provide
> > different CERT to all organizations using their server, it would be
> > possible but not very efficient.
>
> Ah, but see below.
>
> > > do we want to try to integrate this *into* readers.conf
> > > somehow? (I don't see any good way to, but it makes sense in a twisted
> > > sort of way)
> >
> > [...]
> >
> > auth "foo" {
> > 	hosts: "*.foo"
> > 	cert:  foo.pem
> > 	...
> > }
> > auth "bar" {
> > 	hosts: "*.bar"
> > 	cert:  bar.pem
> >         ...
> > }
>
> Right, this would be nice.  But it won't work.  (Correct me if I'm wrong.)
>
> At any point, it is possible that multiple auth groups are applicable to a
> given connection.  (We try them in succession.)  But once we negotiate the
> SSL connection, we've already sent the certificate (i.e., before we start
> sending data)...but which one?

The classic problem, what comes first, the chicken or the egg.

Let's assume that the basic rule is that we present the default cert if
nothing else matches.

The flow could be something like:
1: client connects
2: nnrpd checks the readers.conf file, in the same succesion as today,
   looking for cert entries that matches the host of the client.
    - If it finds a cert entry that matches host, it would present that
      cert.
    - Finds multiple matches, present the first one that matches.
    - Finds none, present the default cert.
3: Negotiate SSL connection
4: Go on with the normal parsing of the readers.conf file

This approach would probably require more modifications to the code than
just adding a command line flag. But I believe that it's more usefull.

Kim



More information about the inn-workers mailing list