Re: Misunderstanding and/or possible bug regarding SNI

Mon, 26 Jul 2021 05:16:53 -0700 

Le 26/07/2021 à 13:24, papush a écrit :

Hello,
I'm having issues getting SNI to work, or maybe I'm misunderstanding
its purpose. I have three domains, all pointing to the same server, and
would like opensmtpd to serve the right certificate depending on which
one was used for the connection. The manpage mentions using "*" as a
pki name for SNI, so my first attempt was something like:

pki "*" cert "/etc/certs/domain1/fullchain.pem"
pki "*" key "/etc/certs/domain1/privkey.pem"
pki "*" cert "/etc/certs/domain2/fullchain.pem"
pki "*" key "/etc/certs/domain2/privkey.pem"
...
listen on 0.0.0.0 tls pki "*"
I wasn’t aware of that, and I don’t use it. But I don’t think you should have a `pki` on the `listen on` directive in this case. 


However that lead to the last pki cert/key defined always being used.
Looking at the archive of this mailing list it seems what I should be
doing is:

pki domain1 cert "/etc/certs/domain1/fullchain.pem"
pki domain1 key "/etc/certs/domain1/privkey.pem"
pki domain2 cert "/etc/certs/domain2/fullchain.pem"
pki domain2 key "/etc/certs/domain2/privkey.pem"
...
listen on 0.0.0.0 tls

leaving out the pki option of the listen directive, but that didn't
work, the debug output of smtpd saying that it is 'looking up pki
"okanieba"' (my hostname) followed by a disconnection "reason=ca-
failure".
That does work for me, although note that I specify a `hostname myhostname.domain.name` in the listen directive which might make a difference. 


Wanting my server to get back to a "working" state where it simply
serves the wrong certificate but proceeds happily if the client doesn't
mind, i changed the listen directive to 'listen on 0.0.0.0 tls pki
domain1', and to my surprise that also made SNI work? The debug output
always says it looks up domain1's pki, but when supplying domain2 as
server name on connection it serves domain2's certificate.

Is this expected behavior? Also, what is the purpose of "*" then?


Which smtpd version do you have?
In 6.9, the man page changed and `*` is not mentioned anymore, and instead the `pki` option of `listen` says this:
> This option can be used multiple times to provide alternate certificates for SNI.
So not sure what was the expected behaviour before, but it does work for me without `*` nor `pki` option on `listen` directives.

Reply via email to