[mod_gnutls-devel] mod_gnutls and multiple TLS-vHosts
Thomas Klute
thomas2.klute at uni-dortmund.de
Mon Nov 9 18:30:29 CET 2015
Am 03.11.2015 um 17:48 schrieb Django:
> I ever thought, that mod_gnutls enables multiple TLS virtual name
> based hosts. Is this right?
Yes, it does. If you want to look at the code in gnutls_hooks.c:
mgs_select_virtual_server_cb is set as "post client hello function" (see
gnutls_handshake_set_post_client_hello_function [1]) to load credentials
matching the vhost config. mgs_select_virtual_server_cb calls
mgs_find_sni_server to try and find a vhost matching SNI information
provided by the client (if any).
> I tried to setup two name based vhosts, but if I try to check both
> hosts via https://www.ssllabs.com/ssltest/ the default-host is marked
> as "without SNI" and the second host is marked "only usable with
> SNI-supported browsers.
I'm afraid I can't comment on your configuration without seeing it. The
default host is what you'll get if the client does not send the SNI
extension, but if ServerName is set properly it should be reachable with
SNI, too. If it isn't, that'd be a bug that should be fixed, but I'd
need more information to reproduce.
Regards,
Thomas
[1]
http://gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fhandshake_005fset_005fpost_005fclient_005fhello_005ffunction
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151109/d6f4a629/attachment-0001.sig>
More information about the mod_gnutls-devel
mailing list