593089 - Improve selfserv's SNI-based cert selection for certs with multiple DNS names

Status: RESOLVED DUPLICATE of bug 570370

(NSS :: Tools, enhancement, P3)

Description

[Nelson Bolyard (seldom reads bugmail)]

Attachment: Patch for trunk - v1

Attached is a patch for selfserv on the trunk. It makes selfserv choose from
among multiple server certificates by looking up the client's SNI name in the 
host names in the cert(s), and picking the first cert that it finds with a 
matching host name.  It uses the same host name matching function as our 
clients use.  

With this patch, it is no longer necessary to use a DNS name for a cert's nickname, because the nickname is not used for matching with SNI strings.
It is also no longer necessary to provide multiple DNS names on the command
line.  selfserv will use all the host names found in the cert(s).  

This patch makes the -a and -n options synonymous.  Either one or both may be 
used to specify a nickname for a cert, and up to 10 nicknames may be given.
The first nickname given becomes the "default" cert, the one used if no 
SNI option is present in the client hello.

I have been running this patch at home continuously for 9 weeks.  I use 
selfserv with certs from my own CA to respond to requests sent to https 
ad servers that are redirected to 127.1 via my hosts file.  

This patch also makes one other change, which makes the patch MUCH larger 
than it otherwise needs to be.  It removes the name "selfserv" from all 
the error messages, and instead displays the name given on the command 
line to invoke the program.  This adds a lot of lines to the patch, but 
they are trivial to review.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 471569 [details] [diff] [review]
Patch for trunk - v1

I'd mark this copy of the patch obsolete, if I could figure out how! :-/