Hello Nikos, A little confused about it. Since even I self-signed the another CNAME domain, I still cannot get rid of the risk of domain resolution, right? Can ocserv tell apart via CN(common name) and deliver the cert according to IP-visit or domain-visit? The IP cert has already been issued with a IP CN, and the cert with a domain CN; but they all share one private RSA key. Do you think the best solution is to re-issue the IP cert with a ECC key? or I shall mark different "server-cert=xxx" strings, such as server-cert=192.168.2.100.pem, server-cert=domain.tld.pem? I think haproxy SNI feature probably could handle this scene, but without support of client certificates, am I right? By the way if a server got 2 public IPv4, 1 private IPv4 and couples of IPv6, can we handle them properly at the same time with domain certs? It's believed the ocserv may load and maintain a list of CN. Regards, Yick 2016-05-05 15:37 GMT+08:00 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>: > On Wed, May 4, 2016 at 10:19 AM, Yick Xie <yick.xie at gmail.com> wrote: >> Hello, >> Does ocserv support multiple certs and keys on one server? > > Yes, but they have to by either different type (ECC vs RSA) or have > different host names set. That way ocserv would know how to serve each > certificate on each connection. For the case you describe you could > make an alias (CNAME) of your server address for the users to fallback > and mark the fallback certificate with that name. > > regards, > Nikos
