Em 19/12/2018 20:09, Amos Jeffries escreveu:
OpenSSL definitely can use only one certificate per http(s)_port. Either
the _last_ loaded if several PEM files are loaded (each call to the
OpenSSL API *replaces* the certs loaded), or if one tries to work around
that by merging everything into a single PEM and only loading it all at
once - only the _first_ cert chain is ever used from that set.
Sorry for maybe going a bit off-topic, just curious about it.
I'm mostly clueless about the implications and intricacies of "behind
the scenes" of SNI, but most modern webservers support it (Apache,
nginx, IIS). Apache, for instance, says it should be built with "OpenSSL
with the TLS Extensions option enabled", since OpenSSL v0.9.8f. And
their configuration for Virtual Hosts and SSL/TLS is rather simple on a
user's view .
So, my question would be: why Squid would have problems with SNI and
OpenSSL when other webservers/proxies have this feature using
OpenSSL/LibreSSL libs?
In my (user's) opinion, Squid has far more complex features with SSL
Bump and other forward proxy handling for SSL/TLS. Why SNI would be such
a big deal?
-Bruno
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
