Hi there,

while Pound 2.6 already supports SNI - which is great - it currently
only looks at the common name of a certificate when deciding which
certificate to use. This leads to "wrong" certificate selection if the
hostname in question isn't the primary certificate name.

Max Wolter <[email protected]> developed a patch for us to make
Pound correctly look for alternative subject names. It doesn't need any
configuration; it simply makes Pound "just work" as expected:

http://jonaspasche.com/pound/Pound-2.6-altnames.patch

For convenience, here's a version combined with Joe Gooch's
SSLAllowClientRenegotiation and SSLHonorCipherOrder patch [1] which
we're also using:

http://jonaspasche.com/pound/Pound-2.6-reneg-ciphers-altnames.patch

For even more convenience, here's a another version combined with Joe
Gooch's SSLAllowClientRenegotiation and SSLHonorCipherOrder patch [1]
and Martin Merediths DisableSSLv2 patch [2] which we're also using:

http://jonaspasche.com/pound/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch

Any feedback is highly appreciated. We'd also suggest this for 2.7, if
suggestions are still possible.

Best regards,
Jonas

[1] 
http://www.apsis.ch/pound/pound_list/archive/2012/2012-02/1328105174000#1328207465000
[2] 
http://www.apsis.ch/pound/pound_list/archive/2012/2012-01/1327928733000#1327928733000

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to