Re: [exim] SNI Support

Pàgina inicial
Delete this message
Reply to this message
Autor: John Burnham
Data:  
A: exim-users@exim.org >> \"<exim-users@exim.org>\"
Assumpte: Re: [exim] SNI Support
> >
> Part of it. I miss the setup example. Something like this:
>
> local_name domain1.com :
>
>      tls_key = /path/file1.key
>      tls_cert = /path/file1.cert

>
> local_name domain2.com :
>
>      tls_pem = /path/file2.pem

>
> I guess thats the part, which isn't implemented yet.
>


Ah, but tls_privatekey, tls_certificate etc are expandable so you can make use of that and the fact that $tls_sni contains the SNI name sent.

As it says in the docs:

If the string tls_sni appears in the main section's tls_certificate option (prior to expansion) then the following options will be re-expanded during TLS session handshake, to permit alternative values to be chosen:

    tls_certificate


    tls_crl


    tls_privatekey


    tls_verify_certificates


Great care should be taken to deal with matters of case, various injection attacks in the string (../ or SQL), and ensuring that a valid filename can always be referenced; it is important to remember that $tls_sni is arbitrary unverified data provided prior to authentication.

---
So you could have
Tls_privatekey = /etc/exim/keys/${tls_sni}
Tls_certificate = /etc/exim/certs/${tls_sni}
Or something fancier with lookups and defaults and all that sort of thing (and that does some sanity checking of the contents of $tls_sni - especially if you're using a SQL based lookup).