[Devel] Re: [Users] TLS setup

Cesc cesc.santa at gmail.com
Fri Nov 11 11:16:50 CET 2005


To patch and modify the openssl lib? yes ;)
I have not had time to check the patch, but i think it would be very
usefull. On the other hand, a non-built-in solution from openssl is not what
we want. TLS would stop being an out-of-the-box solution. People have enough
problems figuring out how to install and run openser (no offense meant) ...
now add those nuisances of patching, compiling and installing your very own
openssl :)
 But, i do think that the TLS name extensions is the way to go for
multi-domain ... but there are i see some other priorities (like a robust
verification of certs process and dynamic tls domains configuration).
 Regards,
 Cesc

 On 11/10/05, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
>
> Hi Cesc,
>
> I will take a look to see what about.....have ever you tried something
> similar?
>
> regards,
> bogdan
>
> Cesc wrote:
>
> > See this thread at openssl-dev ... the guy has the patch, but the
> > developers in openssl do not seem enthusiastic (i remember once one
> > replied ... but then the guy with the patch didn't say much again ...
> > ). But i guess it will be incorporated some day ... but not soon.
> >
> > http://www.seagate.cc:8000/message/20051013.172329.898bd9d2.en.html
> >
> > And, i have no idea how good the patch is ...
> >
> > Cesc
> >
> > On 11/3/05, *Bogdan-Andrei Iancu* <bogdan at voice-system.ro
> > <mailto:bogdan at voice-system.ro>> wrote:
> >
> > Hi Cesc,
> >
> > during a private discussion ( in front of a beer ;) ) you mention
> > there
> > is such extension for openssl - is it right? if so, can you please
> > point
> > to it?
> >
> > regards,
> > bogdan
> >
> > Cesc wrote:
> >
> > >
> > >
> > > On 10/12/05, *Klaus Darilion* <klaus.mailinglists at pernau.at
> > <mailto:klaus.mailinglists at pernau.at>
> > > <mailto:klaus.mailinglists at pernau.at
> > <mailto:klaus.mailinglists at pernau.at>>> wrote:
> > >
> > > FYI: In rfc3546 (section 3.1), there is an TLS extension
> > targeting
> > > this
> > > problem:
> > >
> > > Specifically, the extensions described in this document are
> > > designed
> > > to:
> > > - Allow TLS clients to provide to the TLS server the
> > name of the
> > > server they are contacting. This functionality is
> > desirable to
> > > facilitate secure connections to servers that host
> > multiple
> > > 'virtual' servers at a single underlying network address.
> > >
> > >
> > > AFAIK this is not supported in openssl, only in GNUTLS.
> > >
> > >
> > > This is indeed nice ... but then, do you propose moving ser-tls
> > > implementation from openssl to gnutls? :( I think it may not be
> > > worth (it means that any testing till now is not-valid) and my
> > guess
> > > is that openssl shall support this anytime soon (this is just a
> > hunch).
> > >
> > > Cesc
> > >
> > >
> > >
> >
> >------------------------------------------------------------------------
> > >
> > >_______________________________________________
> > >Devel mailing list
> > >Devel at openser.org <mailto:Devel at openser.org>
> > >http://openser.org/cgi-bin/mailman/listinfo/devel
> > >
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openser.org/pipermail/devel/attachments/20051111/30ae36b2/attachment.htm


More information about the Devel mailing list