Hi, yes, from the code you've pasted, I see it is able to distinguish the server name. And indeed it works: openssl s_client -connect some-server:143 -starttls imap -servername some-domain Makes cyrus log: TLS Server Name Indication (SNI) Extension: "some-domain" So in a way, Cyrus is able to use SNI. However, I don't see a way to set Cyrus to listen on one IP, but to be able to serve different certificates. -- Tomasz Chmielewski http://www.sslrack.com On 2014-07-03 11:54, Niels dettenbach wrote: > Am 03.07.2014 11:39, schrieb Tomasz Chmielewski: >> Does Cyrus support SNI (Server Name Indication) is SSL? >> >> I couldn't find this info in Cyrus documentation. > > > from my last point of information cyrus doesn't provide SNI so far in > the meaning of virtual TLS hosting. > > The only thing i find is: > > --- snip --- > #if (OPENSSL_VERSION_NUMBER >= 0x0090806fL) > static int servername_callback(SSL *ssl, int *ad > __attribute__((unused)), > void *arg __attribute__((unused))) > { > const char *servername = SSL_get_servername(ssl, > TLSEXT_NAMETYPE_host_name); > > if (servername) { > syslog(LOG_DEBUG, "TLS Server Name Indication (SNI) Extension: \"%s\"", > servername); > } > > return SSL_TLSEXT_ERR_OK; > } > #endif > --- snap --- > > ...seems to just check if the SNI TLS details from client are correct > (if the openssl is new enough to provide "SNI"). This doesn't need any > further configuration of cyrus. > > SNI just makes sense if each client provides SNI too and this is afaik > not the case for - compared to i.e. http - many mail clients. > > But i'm still open to learn anything new about this... > > > Best regards, > > Niels. > --- > Niels Dettenbach > Syndicat IT&Internet > http://www.syndicat.com > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
