← Back to team overview

maria-discuss team mailing list archive

Re: TLS SNI support


Am 02.09.2016 um 21:08 schrieb Felipe Gasper:

On 2 Sep 2016, at 1:59 PM, Reinis Rozitis <r@xxxxxxx> wrote:

Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.

Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc).
Though this out of scope of this mailinglist.

On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.

so get some proxy in front for TLS offloading and don't bother apache at all with TLS - the difference is that a proxy just has a simple mapping to the origin server and can select the right vertificate based on the SNI handshake

dojg the same with httpd would be completly unlogical because it would become a hard to explain break in the way you configure a vhost when you suddenly have things outside <VirtualHost>

Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name

then educate them

If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.

so what - works without any issues and at least the last 15 years every human beeing with some brain understood why it make sno sense to brand server names that way if they are shared

if someone insists to have such bullshit he may pay me a large amount of money each month to maintain a dedicated server for him or just eat the same lunch hundrets of others are happily eating - and rankly in doubt i don't care for that money because i don't want to maintain useless things

Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.

If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.

We’ll still need a client library that “speaks” SNI.

guess how hard it's needed when within more than a decade nobody implemented it - i would seek for real problem to solve instead constrcut ones like "branding of infrastructure names"

Attachment: signature.asc
Description: OpenPGP digital signature