SNI, Can I put cert outside socket block?
Added by viki about 5 years ago
According to docs "To use SNI with lighttpd, simply put additional ssl.pemfile configuration directives inside host conditionals under the socket conditional.". I have something like this:
*#lighttpd.conf*
include "ssl.conf"
include "vhosts.conf"
*#ssl.conf*
$SERVER["socket"] == ":443" {
#... other directives
ssl.pemfile = "/etc/letsencrypt/live/s/common.pem"
ssl.ca-file = "/etc/letsencrypt/live/s/fullchain.pem"
}
*#vhosts.conf*
$HTTP["host"] == "x.com" {
ssl.pemfile = "/etc/letsencrypt/live/x.com/common.pem"
ssl.ca-file = "/etc/letsencrypt/live/x.com/fullchain.pem"
}
Ssllabs checker tells it's valid, but can there be any problems in this configuration?
Lighty v1.4.49 (ssl)
Second question is can I disable non-sni clients? Apache has https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
SSLStrictSNIVHostCheck on -> 403 [error] No hostname was provided via SNI for a name based virtual host
Replies (3)
RE: SNI, Can I put cert outside socket block? - Added by gstrauss about 5 years ago
Ssllabs checker tells it's valid, but can there be any problems in this configuration?
Your configuration might not do everything you configured.
If you are only enabling ssl inside the $SERVER["socket"]:443 { } block, then the include "ssl.conf" belongs in that block.
Second question is can I disable non-sni clients?
lighttpd does not currently provide such a directive. SNI is sent in the clear in TLS 1.2, so this might not be providing you with what you are hoping. What are you trying to achieve?
RE: SNI, Can I put cert outside socket block? - Added by viki about 5 years ago
All ssl blocks inside lighttpd.conf are disabled (commented) and after them (after default SSL config) I include extra file "ssl.conf". Basically it has content like https://gist.github.com/BlueT/ee521743fa0da703af68f37ac0f63a90#file-10-ssl-conf. This section (for whole server) contains ssl cert for PTR domain. After ssl.conf (in lighttpd.conf) I have vhosts.conf
include "ssl.conf" include "vhosts.conf"
where I put standard vhosts configuration
# after $SERVER["socket"] block
$HTTP["host"] == "x.com" {
# here I override ssl certs included inside $SERVER["socket"] directive
ssl.pemfile = "/etc/letsencrypt/live/x.com/common.pem"
ssl.ca-file = "/etc/letsencrypt/live/x.com/fullchain.pem"
# some other config specific for this domain like rewrites, directory configuration etc.
}
So ssl.pemfile and ssl.ca-file specific for this host are inside $HTTP["host"] section but outside $SERVER["socket"] block. This works fine but is agains what docs says. My question is, can I keep it as is or should I move it to socket section? Whole $HTTP["host"] section is automatically generated by the script in bash, and as a whole, more logical to manage. But if it's wrong I can create another include in ssl.conf with hosts cert files.
2. I want to do exactly what Apache SSLStrictSNIVHostCheck on do -> 403 error. I do not want the older (non-sni) client to see bad certificate for the PTR domain.
openssl s_client -connect x.com:443 #disallow connection, wrong certificate served (for PTR domain) openssl s_client -connect x.com:443 -servername x.com #ok
RE: SNI, Can I put cert outside socket block? - Added by gstrauss about 5 years ago
So ssl.pemfile and ssl.ca-file specific for this host are inside $HTTP["host"] section but outside $SERVER["socket"] block.
That's fine. Those can be configured per host. However, those directives will have no effect for connections to sockets which are not enabled for SSL by a separate $SERVER["socket"] directive.
I want to do exactly what Apache SSLStrictSNIVHostCheck on do -> 403 error. I do not want the older (non-sni) client to see bad certificate for the PTR domain.
What do you expect the client to see? If the SSL connection is negotiated, the client will see the non-matching cert before 403 response. Do you expect lighttpd to bail on the negotiation and close the connection so that the client fails to negotiate the SSL connection?