← Back to team overview

maria-discuss team mailing list archive

Re: TLS SNI support


> On 2 Sep 2016, at 1:59 PM, Reinis Rozitis <r@xxxxxxx> wrote:
>> Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.
> Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc).
> Though this out of scope of this mailinglist.

On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.

>> Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.
>> Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.
> If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.

We’ll still need a client library that “speaks” SNI.

I’ll look into haproxy and see what’s what. Thanks!


Follow ups