Article delegate-en/4574 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4573@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: how to implement SNI on https? detailed instruction please.
21 Sep 2009 04:57:30 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


In message <_A4573@delegate-en.ML_> on 09/21/09(09:27:52)
you David Wang <p2eiqbdyi-f4q452wnww3r.ml@ml.delegate.org> wrote:
 |STLS=mitm is followed by your notes, after your explanation, yes, we should
 |configure it to be STLS=fcl. Yes, I know the SNI should be supported by
 |browser as well. we are using Firefox 3.0.13 to test it. I just tested it
 |with STLS=fcl, the certificate is still using the delegate host's (
 |portal.abc.com), rather than our customer's (portal.xyz.com) even i have
 |moved both certificate and key files for each domain into that CERTDIR
 |folder.

The following is a simple way to test SNI with DeleGate.

1) run a DeleGate as a HTTPS/SSL server

  % delegated -P9999 -fv SERVER=https STLS=fcl TLSCONF=-vd

2) access the server from a HTTPS/SSL client

  open "https://localhost.localdomain:9999" by a browser or by DeleGate as:
  % delegated -Fdget FSV=sslway https://localhost.localdomain:9999

  [the LOGFILE of DeleGate]
  --
  09/21 13:44:14.50 [6387] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
  09/21 13:44:14.50 [6387] 1+1: ## SSLway CFI_SYNC send start [23]
  09/21 13:44:14.50 [6387] 1+1: ## SSLway start
  09/21 13:44:14.51 [6387] 1+1: ## SSLway reuse ctx #2088594664 C0A3B0
  09/21 13:44:14.51 [6387] 1+1: ## SSLway 201FC00 loadSession 0.000133 (0 0) / -1
  09/21 13:44:14.51 [6387] 1+1: ## SSLway -- TLSxSNI: recv localhost.localdomain
  09/21 13:44:14.51 [6387] 1+1: ## SSLway -- TLSxSNI: localhost.localdomain NOT-FOUND
  09/21 13:44:14.51 [6387] 1+1: ## SSLway -- TLSxSNI: localhost.localdomain NOT-FOUND: DONT-CARED
  --
  *** it says there is no cert. for the domain but ignored ***
  
3) put a certificate file for SNI into DGROOT/etc/certs

   % cp xxx/yyy.pem etc/certs/sn.localhost.localdomain.pem
   % ls -l etc/certs
   -rw-r--r--   1 yutaka  yutaka  2278 Sep 21 13:35 sn.localhost.localdomain.pem
  
4) access the server agein

  [the LOGFILE of DeleGate]
  --
  09/21 13:45:00.80 [6399] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
  09/21 13:45:00.81 [6399] 1+1: ## SSLway CFI_SYNC send start [23]
  09/21 13:45:00.81 [6399] 1+1: ## SSLway start
  09/21 13:45:00.81 [6399] 1+1: ## SSLway reuse ctx #2088594664 C0A2B0
  09/21 13:45:00.81 [6399] 1+1: ## SSLway 2021000 loadSession 0.000446 (0 0) / -1
  09/21 13:45:00.81 [6399] 1+1: ## SSLway -- TLSxSNI: recv localhost.localdomain
  09/21 13:45:00.83 [6399] 1+1: ## SSLway -- TLSxSNI: localhost.localdomain [/xxx/delegate/etc/certs/sn.localhost.localdomain.pem]
  09/21 13:45:00.84 [6399] 1+1: ## SSLway certchain loaded: /xxx/delegate/etc/certs/sn.localhost.localdomain.pem
  09/21 13:45:00.84 [6399] 1+1: ## SSLway keyfile loaded: /xxx/delegate/etc/certs/sn.localhost.localdomain.pem
  09/21 13:45:00.84 [6399] 1+1: ## SSLway TLSxSNI: localhost.localdomain /xxx/delegate/etc/certs/sn.localhost.localdomain.pem
  --
  *** it says the cert. for the domain is fund and used ***

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V