Project

General

Profile

Actions

Feature #386

closed

TLS servername extension (SNI) for namebased TLS-vhosts

Added by Anonymous over 15 years ago. Updated almost 12 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

What about implementing TLS and the servername extension?

SNI makes it possible to have secure Vhosts (TLS) which are namebased, and use only one IP, not IP based as today necessary for SSL (with an extra IP for every Hostname).

This feature is allready included in Opera and will be included in next IE and Mozilla releases.

Support in IE7: http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx
Support in Opera8: http://my.opera.com/community/dev/tp/760/tls11/info/
Patch for Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=116169

example: https://sni.corelands.com/

SNI: http://paul.querna.org/journal/articles/2005/04/24/tls-server-name-indication?postid=70

-- akorthaus


Files

lighttpd_1.4.18_tls_server_name_indication.patch (10.1 KB) lighttpd_1.4.18_tls_server_name_indication.patch TLS server name indication support (lighttpd 1.4.18) phc, 2007-11-12 23:48
lighttpd_1.5.0_r2022_tls_server_name_indication.patch (9.44 KB) lighttpd_1.5.0_r2022_tls_server_name_indication.patch TLS server name indication support (lighttpd 1.5.0-svn) phc, 2007-11-18 13:53
lighttpd_1.4.x_r2024_tls_server_name_indication.patch (10.1 KB) lighttpd_1.4.x_r2024_tls_server_name_indication.patch TLS server name indication support (lighttpd 1.4.x-svn) phc, 2007-11-18 13:54
lighttpd_1.4.x_r2118_tls_server_name_indication.patch (10.2 KB) lighttpd_1.4.x_r2118_tls_server_name_indication.patch TLS server name indication support (lighttpd 1.4.x-svn) phc, 2008-03-08 17:42
lighttpd_1.5.0_r2171_tls_server_name_indication.patch (10.5 KB) lighttpd_1.5.0_r2171_tls_server_name_indication.patch TLS server name indication support (lighttpd 1.5.0-svn) phc, 2008-05-15 20:00
lighttpd_1.4.x_tls_server_name_indication_and_client_verify.patch (17.2 KB) lighttpd_1.4.x_tls_server_name_indication_and_client_verify.patch oleg.smirnov, 2009-09-30 13:07
Actions #1

Updated by Anonymous about 14 years ago

is someone working on this thing?

Actions #2

Updated by darix about 14 years ago

not atm.
we dont support gnutls for ssl and openssl needs 0.9.9 afaik to support SNI. 0.9.9 is not released yet. that said... we cant support it atm.

Actions #3

Updated by Anonymous over 13 years ago

OpenSSL 0.9.8f has been released and supports SNI.

Actions #4

Updated by Anonymous over 13 years ago

OpenSSL 0.9.8f supports SNI, so should we expect SNI support in 1.4 or 1.5 (or both?)? Thanx!

-- meka

Actions #5

Updated by phc over 13 years ago

Hi,

after checking out the server name indication patch for apache mod_ssl, I decided to implement TLS server name extension support for lighttpd.

For TLS server name indication to work, OpenSSL 0.9.8f or greater is required and has to be compiled with enable-tlsext, which is not yet done by default with most distributions (at least not with Debian unstable).

With the appropriate patch applied against either lighttpd 1.4.18 or 1.5.0-svn, it is then possible to specify additional certificates within $HTTP!["host"] conditionals, e.g.


$SERVER["socket"] == "10.0.0.1:443" {
  ssl.engine                  = "enable" 
  ssl.pemfile                 = "www.example.org.pem" 

  $HTTP["host"] == "foo.example.org" {
    ssl.pemfile                 = "foo.example.org.pem" 
  }

  $HTTP["host"] =~ "^(bar\.)example.org(:|$)" {
    # certificate with subjectAltName=DNS:example.org,DNS:bar.example.org
    ssl.pemfile                 = "bar.example.org.pem" 
  }
}

$HTTP["host"] == "foo.example.org" {
  document.root               = "/srv/www/foo.example.org" 
}

or, alternatively,


$SERVER["socket"] == "10.0.0.1:443" {
  ssl.engine                  = "enable" 
  ssl.pemfile                 = "www.example.org.pem" 
}

$HTTP["host"] == "foo.example.org" {
  ssl.pemfile                 = "foo.example.org.pem" 
  document.root               = "/srv/www/foo.example.org" 
}

$HTTP["host"] =~ "^(bar\.)example.org(:|$)" {
  # certificate with subjectAltName=DNS:example.org,DNS:bar.example.org
  ssl.pemfile                 = "bar.example.org.pem" 
}

Besides ssl.pemfile, ssl.ca-file and ssl.cipher-list (with lighttpd 1.4.18 only) may also be configured independently for each virtual host.
As TLS extensions are not supported in SSLv2, however, it does not make any sense to set ssl.use-sslv2 within a $HTTP!["host"] conditional.

On the client side, I had success with both Firefox 2.0 and Opera 9 (running on GNU/Linux).

Regards,
Peter

Actions #6

Updated by phc over 13 years ago

Following up, here are some updated patches for lighttpd trunk and the lighttpd-1.4.x branch.

These include support for $HTTP!["scheme"] conditionals, e.g.


$HTTP["scheme"] == "https" {
  $HTTP["host"] == "foo.example.org" {
    document.root               = "/srv/www/foo.example.org" 
    ssl.pemfile                 = "foo.example.org.pem" 
  }
}
Actions #7

Updated by phc over 13 years ago

A minor update for lighttpd 1.4.x r2080 or later, especially the 1.4.19~r2118 pre-release.

From changeset 2080 onwards, the cond_cache is reset after invocation of the TLS servername callback function (in response.c instead of connections.c). Therefore, the following lines are also necessary in the network_ssl_servername_callback function:


config_cond_cache_reset(srv, con);
config_setup_connection(srv, con);
Actions #8

Updated by Anonymous about 13 years ago

Is the SNI Patch in the 1.5 Version of the SVN included? When i make a dry-run of the 1.5 Patch, there are many hunks. I tryed it with 2 different CERTS, but just the main cert will be delivered from the server, no the other cert i wanted.

$SERVER[socket] == "192.168.2.110:443" {
  ssl.engine                  = "enable" 
  ssl.pemfile                 = "/etc/pkis/CA/private/intranet.intra-key-cert.pem" 

  $HTTP[host] == "intranet.intra" {
    ssl.pemfile                 = "/etc/pkis/CA/private/intranet.intra-key-cert.pem";
  }

  $HTTP[host] == "tf.intranet" {
    ssl.pemfile                 = "/etc/pkis/CA/private/tf.intranet-key-cert.pem";
  }
}

he can read the intraner.intra cert, but wont read the other cert. I checked out the newest version of lighttpd at 4pm this day, dont remember the revision. Do i need to use 1.4.x tree?

-- webmaster

Actions #9

Updated by phc about 13 years ago

Replying to :

Is the SNI Patch in the 1.5 Version of the SVN included?

No, it has not yet been integrated into lighttpd trunk.

When i make a dry-run of the 1.5 Patch, there are many hunks. I tryed it with 2 different CERTS, but just the main cert will be delivered from the server, no the other cert i wanted.

I updated the lighttpd-1.5 patch for svn r2171, that should make it work again.

Actions #10

Updated by Anonymous about 13 years ago

Thanks, the Patch works fine :) Now i can make a quick howto about Lighty and SNI and change my production servers.

-- webmaster

Actions #11

Updated by dbb about 12 years ago

Is anyone have issues with this patch with Firefox and v1.4.23? With Firefox 3.5 RC3 https://sni.velox.ch/ seems to show that SNI is being sent correctly. However, when I try to access two of my sites using SNI (https://liqd.org/wiki/ and https://code.liqd.org/) I get the following error in the log:

####-##-## ##:##:##: (network.c.73) SSL: failed to get TLS server name

Firefox is sent the default certificate. However, when using Internet Explorer 8 and Opera 9.64 no such error occurs and the browsers are sent the correct certificates.

Actions #12

Updated by dbb about 12 years ago

dbb wrote:

Is anyone have issues with this patch with Firefox and v1.4.23? With Firefox 3.5 RC3 https://sni.velox.ch/ seems to show that SNI is being sent correctly. However, when I try to access two of my sites using SNI (https://liqd.org/wiki/ and https://code.liqd.org/) I get the following error in the log:

[...]

Firefox is sent the default certificate. However, when using Internet Explorer 8 and Opera 9.64 no such error occurs and the browsers are sent the correct certificates.

Tested today and it apparently works with no change in configuration, weird.

Actions #13

Updated by stbuehler about 12 years ago

  • Target version set to 1.4.x
Actions #14

Updated by BoBsoN about 12 years ago

When I was testing this feature I noticed that:
1) you always must set SSL cert for IP adres (socket), without that it was not working (a little anoying if you don't have cert for eg. primary domain)
2) When you shutdown lighttpd, then call to SSL page with SNI from FireFox - you get info that page is unavailable. You start lighttpd, and reload page - and SNI is not working any longer. Don't know if this is bug in FireFox or lighttpd related thing, but it looks like after reload SNI procedure is not triggered.

Actions #15

Updated by oleg.smirnov almost 12 years ago

Just made a cumulative patch combining TLS SNI and SSL client verification from Issue #921

Actions #16

Updated by stbuehler almost 12 years ago

  • Target version changed from 1.4.23 to 1.4.x

And in what way do you think combining patches helps to get them applied?

And why do you think you should change the Target version??? (And how did you select 1.4.23? That shouldn't be possible as it is released...)

Actions #17

Updated by stbuehler almost 12 years ago

  • Status changed from New to Patch Pending
  • Assignee deleted (jan)
  • Target version changed from 1.4.x to 1.4.24
Actions #18

Updated by stbuehler almost 12 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2648.

Actions

Also available in: Atom