Re: [courier-users] SNI for SSL negotiations
Mark Constable writes: Might be a vaguely related example here... https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L822 Most of the code in there references other nginx-related internal functions, likely wrappers for the SSL code. Did some further digging inside openssl's innards. The relevant API calls are SSL_CTX_set_tlsext_servername_callback(), on the server side, and SSL_set_tlsext_host_name() on the client side. Neither one of them has a man page. Google was unable to find any documentation on openssl's web site either. There wre some hits on stackoverflow, and they refer to the source code to s_client.c and s_server.c from the OpenSSL distribution. I'm sure the OpenSSL folks are all donating their free time into it, like myself, so can't really knock them for the lacking API documentation. Perhaps the LibreSSL fork will eventually find the time to write some good documentation. And maybe pick a better name… Anyway, after some digging around, I think I have what I need to finally add this to my OpenSSL code. pgpgVera5Ir0W.pgp Description: PGP signature -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SNI for SSL negotiations
Mark Constable wrote: > > > > > > Would mail clients like Thunderbird need to understand SNI as > > > well > > > or would it be up to only the server daemon to present the right > > > certificate? > > Both. SNI is a protocol extension. Both the client and the server > > have to be explicitly coded to support it. > Thanks for the confirmation. According to this posting in 2011 the > author noted that Thunderbird does initiate the SSL handshake with > the hostname in plain text so it probably does do SNI. Promising. > > http://forums.mozillazine.org/viewtopic.php?f=39&t=2316281 I have used it and I confirm that thunderbird does support SNI and is able to interact correctly with courier. > I also found this reference so I'll give it a try, even though the > custom Debian packages I use most likely do not use GnuTLS. They don't. You will need to recompile the package using gnutls. Simply add --with-gnutls to COMMON_CONFOPTS in debian/rules and run dpkg-buildpackage (you will need the appropiate gnutls library and header files) I agree it would be nice to have two different packages providing courier-ssl in debian with the two crypto libraries. Even if you are only using the common subset of code,¹ it would be handy to have such option packaged for switching when new vulnerabilities are found (or going to be released). ¹ It's quite sad that their configurations aren't compatible, though. -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SNI for SSL negotiations
>> Would mail clients like Thunderbird need to understand SNI as well >> or would it be up to only the server daemon to present the right >> certificate? > > Both. SNI is a protocol extension. Both the client and the server > have to be explicitly coded to support it. Thanks for the confirmation. According to this posting in 2011 the author noted that Thunderbird does initiate the SSL handshake with the hostname in plain text so it probably does do SNI. Promising. http://forums.mozillazine.org/viewtopic.php?f=39&t=2316281 I also found this reference so I'll give it a try, even though the custom Debian packages I use most likely do not use GnuTLS. *** SNI If the IMAP server is supposed to work for different domain names, the TLS extension SNI comes into play. The way how Courier implements this is: Set TLS_CERTFILE to a base path, e.g. TLS_CERTFILE=/etc/ssl/private/imap.pem The concrete certificates must then be stored in files that are formed by appending the domain name to the base path, e.g. /etc/ssl/private/imap.pem.example.com Courier will look up the correct certificate based on the host name advertised during the TLS/SNI exchange -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SNI for SSL negotiations
Mark Constable writes: Would mail clients like Thunderbird need to understand SNI as well or would it be up to only the server daemon to present the right certificate? Both. SNI is a protocol extension. Both the client and the server have to be explicitly coded to support it. pgp8hxQnHj9fG.pgp Description: PGP signature -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SNI for SSL negotiations
On 03/03/16 12:37, Sam Varshavchik wrote: >> Is there any possibility that SNI negotiation can take place when >> doing SSL handshakes with couriers daemons so that multiple SSL >> certificates can be used on the same IP? > > I haven't yet found the time to investigate what needs to be done >to support SNI with OpenSSL. OpenSSL's documentation was always > difficult to decipher overall, good examples are hard to come by. Okay, close with GnuTLS but not OpenSSL so not completely out of the question, perhaps. It's just that now LetsEncrypt is becoming popular it will be super easy to add real certificates to any and all vhosts on a single server with a single IP. Would mail clients like Thunderbird need to understand SNI as well or would it be up to only the server daemon to present the right certificate? Might be a vaguely related example here... https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L822 -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SNI for SSL negotiations
Mark Constable writes: I think I may have asked this question many years ago but just in case things have changed. Is there any possibility that some of SNI negotiation can take place when doing SSL handshakes with couriers daemons so that multiple SSL certificates can be used on the same IP? Courier should support SNI when it's built with GnuTLS. GnuTLS's API for SNI is well documented. I haven't yet found the time to investigate what needs to be done to support SNI with OpenSSL. OpenSSL's documentation was always difficult to decipher overall, good examples are hard to come by. pgpQeU7HRROHq.pgp Description: PGP signature -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] SNI for SSL negotiations
I think I may have asked this question many years ago but just in case things have changed. Is there any possibility that some of SNI negotiation can take place when doing SSL handshakes with couriers daemons so that multiple SSL certificates can be used on the same IP? -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users