Closed
Bug 593089
Opened 14 years ago
Closed 14 years ago
Improve selfserv's SNI-based cert selection for certs with multiple DNS names
Categories
(NSS :: Tools, enhancement, P3)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 570370
3.13
People
(Reporter: nelson, Assigned: nelson)
Details
Attachments
(1 obsolete file)
Attached is a patch for selfserv on the trunk. It makes selfserv choose from among multiple server certificates by looking up the client's SNI name in the host names in the cert(s), and picking the first cert that it finds with a matching host name. It uses the same host name matching function as our clients use. With this patch, it is no longer necessary to use a DNS name for a cert's nickname, because the nickname is not used for matching with SNI strings. It is also no longer necessary to provide multiple DNS names on the command line. selfserv will use all the host names found in the cert(s). This patch makes the -a and -n options synonymous. Either one or both may be used to specify a nickname for a cert, and up to 10 nicknames may be given. The first nickname given becomes the "default" cert, the one used if no SNI option is present in the client hello. I have been running this patch at home continuously for 9 weeks. I use selfserv with certs from my own CA to respond to requests sent to https ad servers that are redirected to 127.1 via my hosts file. This patch also makes one other change, which makes the patch MUCH larger than it otherwise needs to be. It removes the name "selfserv" from all the error messages, and instead displays the name given on the command line to invoke the program. This adds a lot of lines to the patch, but they are trivial to review.
Attachment #471569 -
Flags: review?(alexei.volkov.bugs)
Assignee | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Comment 2•14 years ago
|
||
Comment on attachment 471569 [details] [diff] [review] Patch for trunk - v1 I'd mark this copy of the patch obsolete, if I could figure out how! :-/
Assignee | ||
Updated•14 years ago
|
Attachment #471569 -
Attachment is obsolete: true
Attachment #471569 -
Flags: review?(alexei.volkov.bugs)
You need to log in
before you can comment on or make changes to this bug.
Description
•