James Hogarth wrote:
I'll try and replicate the blog findings in the course of the next couple of
days .... if it works I'll add it to the wiki ...

Set up a test this morning using Centos 6:

The behaviour was... odd....

SNI itself must have been working as the contents differed depending
on the domain which matched the expectation from the two virtual hosts
however there appears to remain certificate selection issues and/or
issues with respect to the the behaviour of the NSS options - only the
last NSSCertificateDatabase seemed to apply rather than be local to a
given VirtualHost (if separating certificate databases) and if in a
common database although Apache reported different nicknamed
certificates in error_log only the first NSSNickname seemed to be used
to obtain the correct certificate...

Set up a similar test on Fedora 17:

Same behaviour occurred (not that surprising given the versions)....

So the short of it is ignore that blog and Rob is right - mod_nss is
not ready yet... if you want SNI  you need mod_ssl (or mod_gnutls)...
if you have FIPS etc requirements or other reasons to use mod_nss then
SNI is not at this time possible if you want valid certificates in

Only one nss database may be opened at a time. mod_nss should probably error out if multiple are defined to prevent confusion.

I'd think a nickname should be unique to a given VirtualServer. If not then it's a bug.


Freeipa-users mailing list

Reply via email to