Hi there, while Pound 2.6 already supports SNI - which is great - it currently only looks at the common name of a certificate when deciding which certificate to use. This leads to "wrong" certificate selection if the hostname in question isn't the primary certificate name.
Max Wolter <[email protected]> developed a patch for us to make Pound correctly look for alternative subject names. It doesn't need any configuration; it simply makes Pound "just work" as expected: http://jonaspasche.com/pound/Pound-2.6-altnames.patch For convenience, here's a version combined with Joe Gooch's SSLAllowClientRenegotiation and SSLHonorCipherOrder patch [1] which we're also using: http://jonaspasche.com/pound/Pound-2.6-reneg-ciphers-altnames.patch For even more convenience, here's a another version combined with Joe Gooch's SSLAllowClientRenegotiation and SSLHonorCipherOrder patch [1] and Martin Merediths DisableSSLv2 patch [2] which we're also using: http://jonaspasche.com/pound/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch Any feedback is highly appreciated. We'd also suggest this for 2.7, if suggestions are still possible. Best regards, Jonas [1] http://www.apsis.ch/pound/pound_list/archive/2012/2012-02/1328105174000#1328207465000 [2] http://www.apsis.ch/pound/pound_list/archive/2012/2012-01/1327928733000#1327928733000
signature.asc
Description: This is a digitally signed message part
