Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 82761
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL
People
Owner: Nobody in particular
Requestors: karel.miko [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Jan 16 13:52:01 2013 karel.miko [...] gmail.com - Ticket created
Subject: Server side SNI support
Date: Wed, 16 Jan 2013 19:51:47 +0100
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Karel Miko <karel.miko [...] gmail.com>
Hi, Net::SSLeay has server side SNI support since 1.50 http://search.cpan.org/~mikem/Net-SSLeay-1.52/lib/Net/SSLeay.pod#Low_level_API:_Server_side_Server_Name_Indication_%28SNI%29_support Please find enclosed proposal for adding server side SNI also to IO::Socket::SSL. It is implemented via a new option: SSL_server_SNI => { 'host1.domain.com' => ['h1.crt', 'h1.key'], 'host2.domain.com' => ['h2.crt', 'h2.key'] } or SSL_server_SNI => sub { my $host = shift; ...; return ($certfile, $keyfile) }, If you find my proposal handy I can write a piece of documentation for this new feature. Regards -- Karel

Message body is not shown because sender requested not to inline it.

  Sun Feb 03 14:20:15 2013 Steffen_Ullrich [...] genua.de - Correspondence added
Show quoted text
> > Please find enclosed proposal for adding server side SNI also to > IO::Socket::SSL.
Hi Karel, thanks for the patch. Although I implemented it in a different way, I was inspired by your patch and motivated, that someone needs this feature. The main difference to your patch is, that I did not add a new option, but instead let SSL_key* and SSL_cert* use a hash reference to provide the mapping between hostname and key/cert. The creation of the context per host is then done at configure time, and not when a client connects. I liked this approach more, because you get any problems with the keys or cert reported earlier. Also, not only cert and key files are supported, but also cert and key values (e.g. X509* and PKEY* objects). The drawback of this approach is, that I don't offer a callback function, which determines cert and key when the client connects. This might be added in the future, but currently I don't see much value in it. Thanks again, Steffen
  Sun Feb 03 14:20:16 2013 The RT System itself - Status changed from 'new' to 'open'
  Sun Feb 03 14:20:16 2013 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'