Multiple Certs and Keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I tested and it did not work. Still the first one in the order would
be delivered, the case is the same as IP cert.

ONE cert was issued with dns_name="xxx.com";
TWO cert was issued with dns_name="vpn.yyy.net".

The gnutls is 3.3.18, some more configuration to enable SNI? How to
verify my environment? Perhaps due to some other outdated libs? Tested
using commit e142202583fff93ae3ece6b0163e90f371d84b71 (Date: Tue Apr
26 21:46:00 2016 +0200)

Regards,
Yick

2016-05-09 19:51 GMT+08:00 Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com>:
> On Thu, May 5, 2016 at 3:12 PM, Yick Xie <yick.xie at gmail.com> wrote:
>> Hello Nikos,
>>
>> A little confused about it. Since even I self-signed the another CNAME
>> domain, I still cannot get rid of the risk of domain resolution,
>> right? Can ocserv tell apart via CN(common name) and deliver the cert
>> according to IP-visit or domain-visit?
>
> ocserv can distinguish certificates to send based on SNI. If you setup
> ocserv with two certificates, one for xxx.com and the other for
> yyy.com, the clients which advertise one of the two DNS names should
> be served the corresponding certificates.
>
> For example for your self signed certificate you could issue it for the:
> self-signed.mydomain.com
> while the CA issued one as
> ca-issued.mydomain.com
>
> You should set these as the dns_name field.
>
> Then users connecting to self-signed.mydomain.com will be served the
> self signed one, while the other domain will be served the ca issued
> one.
>
> regards,
> Nikos



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux