Re: [courier-users] SNI for SSL negotiations

2016-03-03 Thread Sam Varshavchik

Mark Constable writes:


Might be a vaguely related example here...

https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L822


Most of the code in there references other nginx-related internal functions,  
likely wrappers for the SSL code.


Did some further digging inside openssl's innards. The relevant API calls  
are SSL_CTX_set_tlsext_servername_callback(), on the server side, and  
SSL_set_tlsext_host_name() on the client side.


Neither one of them has a man page. Google was unable to find any  
documentation on openssl's web site either. There wre some hits on  
stackoverflow, and they refer to the source code to s_client.c and  
s_server.c from the OpenSSL distribution.


I'm sure the OpenSSL folks are all donating their free time into it, like  
myself, so can't really knock them for the lacking API documentation.  
Perhaps the LibreSSL fork will eventually find the time to write some good  
documentation. And maybe pick a better name…


Anyway, after some digging around, I think I have what I need to finally add  
this to my OpenSSL code.




pgpgVera5Ir0W.pgp
Description: PGP signature
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] SNI for SSL negotiations

2016-03-03 Thread Ángel González
Mark Constable wrote:
> > > 
> > > Would mail clients like Thunderbird need to understand SNI as
> > > well
> > > or would it be up to only the server daemon to present the right
> > > certificate?
> > Both. SNI is a protocol extension. Both the client and the server
> > have to be explicitly coded to support it.
> Thanks for the confirmation. According to this posting in 2011 the
> author noted that Thunderbird does initiate the SSL handshake with
> the hostname in plain text so it probably does do SNI. Promising.
> 
> http://forums.mozillazine.org/viewtopic.php?f=39&t=2316281

I have used it and I confirm that thunderbird does support SNI and is
able to interact correctly with courier.


> I also found this reference so I'll give it a try, even though the
> custom Debian packages I use most likely do not use GnuTLS.

They don't. You will need to recompile the package using gnutls.

Simply add --with-gnutls to COMMON_CONFOPTS in debian/rules and run
dpkg-buildpackage (you will need the appropiate gnutls library and
header files)

I agree it would be nice to have two different packages providing
courier-ssl in debian with the two crypto libraries. Even if you are
only using the common subset of code,¹ it would be handy to have such
option packaged for switching when new vulnerabilities are found (or
going to be released).


¹ It's quite sad that their configurations aren't compatible, though.


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] SNI for SSL negotiations

2016-03-02 Thread Mark Constable
>> Would mail clients like Thunderbird need to understand SNI as well
>> or would it be up to only the server daemon to present the right
>> certificate?
>
> Both. SNI is a protocol extension. Both the client and the server
> have to be explicitly coded to support it.

Thanks for the confirmation. According to this posting in 2011 the
author noted that Thunderbird does initiate the SSL handshake with
the hostname in plain text so it probably does do SNI. Promising.

http://forums.mozillazine.org/viewtopic.php?f=39&t=2316281

I also found this reference so I'll give it a try, even though the
custom Debian packages I use most likely do not use GnuTLS.

***

SNI

If the IMAP server is supposed to work for different domain names,
the TLS extension SNI comes into play. The way how Courier implements
this is:

Set TLS_CERTFILE to a base path, e.g.

TLS_CERTFILE=/etc/ssl/private/imap.pem

The concrete certificates must then be stored in files that are formed
by appending the domain name to the base path, e.g.

/etc/ssl/private/imap.pem.example.com

Courier will look up the correct certificate based on the host name
advertised during the TLS/SNI exchange


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] SNI for SSL negotiations

2016-03-02 Thread Sam Varshavchik

Mark Constable writes:


Would mail clients like Thunderbird need to understand SNI as well
or would it be up to only the server daemon to present the right
certificate?


Both. SNI is a protocol extension. Both the client and the server have to be  
explicitly coded to support it.




pgp8hxQnHj9fG.pgp
Description: PGP signature
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] SNI for SSL negotiations

2016-03-02 Thread Mark Constable
On 03/03/16 12:37, Sam Varshavchik wrote:
>> Is there any possibility that SNI negotiation can take place when
>> doing SSL handshakes with couriers daemons so that multiple SSL
>> certificates can be used on the same IP?
>
> I haven't yet found the time to investigate what needs to be done
>to support SNI with OpenSSL. OpenSSL's documentation was always
> difficult to decipher overall, good examples are hard to come by.

Okay, close with GnuTLS but not OpenSSL so not completely out of the
question, perhaps. It's just that now LetsEncrypt is becoming popular
it will be super easy to add real certificates to any and all vhosts
on a single server with a single IP.

Would mail clients like Thunderbird need to understand SNI as well
or would it be up to only the server daemon to present the right
certificate?

Might be a vaguely related example here...

https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L822

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] SNI for SSL negotiations

2016-03-02 Thread Sam Varshavchik

Mark Constable writes:


I think I may have asked this question many years ago but just in
case things have changed. Is there any possibility that some of SNI
negotiation can take place when doing SSL handshakes with couriers
daemons so that multiple SSL certificates can be used on the same IP?


Courier should support SNI when it's built with GnuTLS. GnuTLS's API for SNI  
is well documented.


I haven't yet found the time to investigate what needs to be done to support  
SNI with OpenSSL. OpenSSL's documentation was always difficult to decipher  
overall, good examples are hard to come by.


pgpQeU7HRROHq.pgp
Description: PGP signature
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users