1 (edited by istuary.whistler 2017-03-09 12:16:33)

Topic: Question re: SNI support in wolfSSL (server hosting multiple domains)

I've searched the forum but I haven't found an answer...

I'm curious whether wolfSSL supports RFC 6066, specifically in regards to a server side hosting multiple domains.  For example,
    https://www.cats.com  (IP 123.456.78.910)
    https://www.dogs.com (IP 123.456.78.910)
    https://www.cars.com  (IP 123.456.78.910)

Each domain has a certificate.  Certificate for cats.com is different than the certificate for dogs.com.

The client will send a ClientHello to the host server with Server Name Indication (SNI) to specify the domain it wants to reach at IP 123.456.78.910.

I expect the server to use the SNI from the ClientHello to look up the correct certificate, and send the appropriate certificate for the domain back to the client.

Does wolfSSL support this? I'm confused whether wolfSSL supports the SNI-certificate lookup.  The wolfSSL manual states for wolfSSL_CTX_UseSNI:

"This function enables the use of Server Name Indication for SSL objects created from
the SSL context passed in the 'ctx' parameter. It means that the SNI extension will be
sent on ClientHello by wolfSSL clients and wolfSSL servers will respond ClientHello +
SNI with either ServerHello + blank SNI or alert fatal in case of SNI mismatch."

So... there is no reference to the certificate lookup.

In section 4.9 of the manual:

"On the server side one of the same function calls is required. Since the wolfSSL server
doesn't host multiple 'virtual' servers, the SNI usage is useful when the termination of
the connection is desired in the case of SNI mismatch."

Does this mean wolfSSL does not send the certificate corresponding to the domain specified by the ClientHello SNI?

If it does support multiple domain certificates, which wolfSSL API are used for this? wolfSSL_CTX_use_certificate_file() appears to support a single server certificate, not multiple certificates for this application.

Thanks in advance!

Share

Re: Question re: SNI support in wolfSSL (server hosting multiple domains)

Hi situara.whistler,

As you can see in our manual, wolfSSL does NOT support multiple 'virtual' servers, therefore, we only support one certificate or certificate chain at a time.

There is one function that might help you: TLSX_SNI_GetFromBuffer();

It parses a ClientHello and extracts the SNI inside of it. This way it would be possible to forward the connection to a specific WOLFSSL_CTX containing the desired certificate.

[ ]'s
Moisés

Share