inn using two certificates

[Russ Allbery]

Bill Tangren <bjt at aa.usno.navy.mil> writes:

> I have inn 2.4.1 running on a Linux box here at work. The server offers
> half a dozen or so private newsgroups, but no public ones. I am using
> xinetd to offer secure newsgroup access outside our firewall, and a
> standalone service for secure and unsecure access behind the
> firewall. Each access method has its own readers.conf tailored for its
> use. This Linux box has several names in DNS assigned for its single IP
> number. Many of the users here use thunderbird to access the newsgroups.

> It all works well, except for one thing: I have one cert set up for the
> server, using the most commonly used name for the server (A). If a user
> uses thunderbird to set up newsgroup access using secure access, and he
> uses one of the other names for the server (B), then EVERY time they
> start their client, it (the client) tells them that server B has a
> certificate that contains the name A. This popup message is useful if
> you are accessing a non trusted server, but it is annoying here. I have
> found no way to stop it.

> Does anyone know how I might compile inn (or nnrpd) to use more than one 
> certificate?

How would nnrpd know which certificate to offer?

You have to use separate IP addresses per separate certificate with TLS
unless you can use wildcard certificates (well, until clients support the
TLS extension to specify the server name, but pretty much nothing does).
With nnrpd, unfortunately, you're also going to have to run separate nnrpd
processes with separate inn.conf files (or sasl.conf files in STABLE,
which might be tricker to do) to point to different certificate paths.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.