Improve selfserv's SNI-based cert selection for certs with multiple DNS names

RESOLVED DUPLICATE of bug 570370

Status

NSS
Tools
P3
enhancement
RESOLVED DUPLICATE of bug 570370
8 years ago
8 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

Created attachment 471569 [details] [diff] [review]
Patch for trunk - v1

Attached is a patch for selfserv on the trunk. It makes selfserv choose from
among multiple server certificates by looking up the client's SNI name in the 
host names in the cert(s), and picking the first cert that it finds with a 
matching host name.  It uses the same host name matching function as our 
clients use.  

With this patch, it is no longer necessary to use a DNS name for a cert's nickname, because the nickname is not used for matching with SNI strings.
It is also no longer necessary to provide multiple DNS names on the command
line.  selfserv will use all the host names found in the cert(s).  

This patch makes the -a and -n options synonymous.  Either one or both may be 
used to specify a nickname for a cert, and up to 10 nicknames may be given.
The first nickname given becomes the "default" cert, the one used if no 
SNI option is present in the client hello.

I have been running this patch at home continuously for 9 weeks.  I use 
selfserv with certs from my own CA to respond to requests sent to https 
ad servers that are redirected to 127.1 via my hosts file.  

This patch also makes one other change, which makes the patch MUCH larger 
than it otherwise needs to be.  It removes the name "selfserv" from all 
the error messages, and instead displays the name given on the command 
line to invoke the program.  This adds a lot of lines to the patch, but 
they are trivial to review.
Attachment #471569 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 570370
Comment on attachment 471569 [details] [diff] [review]
Patch for trunk - v1

I'd mark this copy of the patch obsolete, if I could figure out how! :-/
(Assignee)

Updated

8 years ago
Attachment #471569 - Attachment is obsolete: true
Attachment #471569 - Flags: review?(alexei.volkov.bugs)
You need to log in before you can comment on or make changes to this bug.