Re: [exim] SNI and DANE TLSA record monitoring

Inizio della pagina
Delete this message
Reply to this message
Autore: Felipe Gasper
Data:  
To: Jan Ingvoldstad
CC: exim users
Oggetto: Re: [exim] SNI and DANE TLSA record monitoring

> On Oct 19, 2016, at 8:42 AM, Jan Ingvoldstad <frettled@???> wrote:
>
> On Wed, Oct 19, 2016 at 2:35 PM, Felipe Gasper <felipe@???>
> wrote:
>
>> SNI is concerned strictly with the domain name, whereas virtual hosting
>> (as I’ve seen it) concerns content.
>>
>> Apache’s SNI configuration is poorly conceived, in my opinion. It forces
>> all domains on a given virtual host to use the same certificate, which
>> makes no sense. There is no reason whatsoever why “foo.com” and “bar.com”
>> should have to serve up the same certificate--regardless of whether those
>> two domains serve up the same content.
>>
>
> There is *nothing* that prevents you from configuring two virtualhosts in
> Apache from serving the same content, so your understanding of how that
> configuration works, has some blank spots.
>


Separate vhosts per domain produces larger httpd.conf files, which is a bad thing when you’re serving tens of thousands of domains, each of which has various separate directives, etc.

There is also the Include directive, but that’s loading separate files, which makes Apache restarts take longer.

mod_macro, new in 2.4, *might* make this better, but for us it will require a significant retooling effort since we already have well-worn vhost configuration templates.

>
>> Exim’s approach of making the SNI request available and allowing the admin
>> to do whatever with it is much more ideal. Please do NOT change this!
>>
>
> Exim's approach is currently a bit too monolithic to be usable for mass
> hosting of many domains with separate certificates, separate
> configurations, and separate logfiles.


Exim’s approach is BEAUTIFUL for the purpose of separate certificates per domain. cPanel 11.60 just shipped with this support added. The great thing is that, unlike Apache or Dovecot, the mapping of domain to certificate is dynamic, not in a static list. For shared hosting environments, where each machine/VPS can serve tens of thousands of individual domains, this is a boon.

I’d be fine with some facility to configure by-domain configs, logs, or what not in tandem with the certificate. Just as long as it’s still simple and easy to determine the certificate by the DOMAIN, not by served content.

-FG