[gnutls-help] need help with SNI

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Apr 9 23:31:25 CEST 2014


On 04/09/2014 10:55 AM, Olaf Zaplinski wrote:
> I have a problem with SNI.
> 
> I have 3 name based vhosts with GnuTLS.


I think you're stalking about apache with mod_gnutls.

I'm sending this response to mod_gnutls-devel at lists.gnutls.org since
that's a better place for apache-related mod_gnutls questions.  please
follow up there.

> jne.example.com runs with a certificate *.example.com from CA #1
> alice.example.net runs with certificate alice.example.net from CA #2
> bob.example.com runs with certificate bob.example.com from CA #2
> 
> In fact, joe is my (Debian) default host with config file
> /etc/apache2/sites-available/default-tls
> 
> The two first hosts work fine, but host bob presents the certificate
> from joe. It works because this certificate is a wildcard one, but I
> would like to know why GnuTLS refuses to present the certificate that I
> had configured.

can you be more specific about apache, mod_gnutls, and your
configuration?  it would help to know:

 * version information (of apache, of gnutls, of mod_gnutls)

 * concrete configuration file excerpts that you think might be relevant.

it does sound like there might be an SNI matching issue that we could
tighten up (presumably we'd want to take the most-specific match
possible, rather than the first-matching cert).

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140409/6936ea43/attachment.sig>


More information about the Gnutls-help mailing list