I tested and it did not work. Still the first one in the order would be delivered, the case is the same as IP cert. ONE cert was issued with dns_name="xxx.com"; TWO cert was issued with dns_name="vpn.yyy.net". The gnutls is 3.3.18, some more configuration to enable SNI? How to verify my environment? Perhaps due to some other outdated libs? Tested using commit e142202583fff93ae3ece6b0163e90f371d84b71 (Date: Tue Apr 26 21:46:00 2016 +0200) Regards, Yick 2016-05-09 19:51 GMT+08:00 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>: > On Thu, May 5, 2016 at 3:12 PM, Yick Xie <yick.xie at gmail.com> wrote: >> Hello Nikos, >> >> A little confused about it. Since even I self-signed the another CNAME >> domain, I still cannot get rid of the risk of domain resolution, >> right? Can ocserv tell apart via CN(common name) and deliver the cert >> according to IP-visit or domain-visit? > > ocserv can distinguish certificates to send based on SNI. If you setup > ocserv with two certificates, one for xxx.com and the other for > yyy.com, the clients which advertise one of the two DNS names should > be served the corresponding certificates. > > For example for your self signed certificate you could issue it for the: > self-signed.mydomain.com > while the CA issued one as > ca-issued.mydomain.com > > You should set these as the dns_name field. > > Then users connecting to self-signed.mydomain.com will be served the > self signed one, while the other domain will be served the ca issued > one. > > regards, > Nikos
