maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #03925
Re: TLS SNI support
> On 2 Sep 2016, at 1:59 PM, Reinis Rozitis <r@xxxxxxx> wrote:
>
>> Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.
>
> Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc).
> Though this out of scope of this mailinglist.
>
On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.
>
>> Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.
>
>> Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.
>
> If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.
We’ll still need a client library that “speaks” SNI.
I’ll look into haproxy and see what’s what. Thanks!
-FG
Follow ups
References