SSL SNI support

27 views
Skip to first unread message

Sawyer X

unread,
Mar 22, 2015, 2:10:58 PM3/22/15
to per...@googlegroups.com
Hi,

Supporting multiple SSL certificates on a single IP using SSL SNI became a useful feature for reverse proxies. Since Perlbal internally uses IO::Socket::SSL for SSL negotiation, it's rather simple adding it in core.

The internal change is simple: "SSL_key_file" and "SSL_cert_file" become hashes keyed by the domain they serve. Making it available in the configuration is the difficult part.

Perlbal configuration checks "SSL_key_file" and "SSL_cert_file" as filenames, not an optional hash with filenames as values. The configuration itself doesn't allow setting it as such, either. Unfortunately you cannot introduce a plugin that will transform some configuration key to a proper hash structure because, as far as I've seen, there is no hook that is called before the SSL handshake process - the point at which you already need the structure.

I thought of the following options (in order of preference):
1. Add additional keywords to core like "ssl_cert_dir" which reads the directory, the certificates inside it, and creates this hash automatically, and "ssl_domains" to provide an allow list of domains to include support, limiting which domains should be used.
2. Extend the syntax to allow a hash structure (not sure how that will look like).
3. Add a hook that gets run before, so you could edit the options to the SSL handshake.
4. Change nothing and write a plugin that monkey-patches like crazy. I don't know if it will even work.

While the 3rd option is the "change the least", I think SSL SNI should still be supported in core. A hook that runs before a connection to help you set it up (by allowing to change the connection options) still could (and should) be added.

Before I submit a Pull Request for the 1st option, I was hoping to get some input.

Sawyer.
Reply all
Reply to author
Forward
0 new messages