Re: SNI Config
much appreciated for the response maybe a feature down the road?? Happy Wednesday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email p...@scom.ca On 10/12/2022 8:12 AM, Aki Tuomi wrote: Hi! The pipe syntax has never worked, no idea why you think it would have. Unfortunately at the moment, files are your best option. I do understand the annoyance. Aki On 12/10/2022 13:54 EEST Paul Kudla (SCOM.CA Internet Services Inc.) wrote: ok thanks for your input I finally tracked down the issue It was how i was loading the certificates in the first place that being said (and i must have missed this) 2.3.18 seems to allow importing a cert from a program thus sni config local_name mail.paulkudla.net { ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes } would work instead of file pipes from individual text files. #local_name mail.paulkudla.net { # ssl_key =http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email p...@scom.ca On 10/11/2022 12:46 PM, Jochen Bern wrote: On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote: ok according to https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html SAN is not a valid option along with CN ... I don't see that being said in the page you refer to? Anyhow, "stop giving a CN, use SANs instead" is a rather recent development coming from the CA/Browser Forum - and IIUC still not a *requirement*, not even for web browsers/servers. I would be surprised if OpenSSL (already) were trying to enforce that policy. Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ? $ openssl s_client -connect outlook.office365.com:993 -showcerts | openssl x509 -noout -text [...] Subject: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com [...] X509v3 Subject Alternative Name: DNS:*.clo.footprintdns.com, DNS:*.hotmail.com, DNS:*.internal.outlook.com, [...] ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get indigestion over. Upoin further testing thunderbird seems to be locking onto the primary domain (*.scom.ca) of the server skipp any sni setup ?? You might want to get a network trace of your Thunderbird talking to the server to see what cert actually is presented by the server, and ideally, what domain is requested by SNI (if at all). That all happens before the connection starts to be encrypted, so you should be able to read it (say, with Wireshark) without having to crack any crypto ... Kind regards,
Re: SNI Config
Hi! The pipe syntax has never worked, no idea why you think it would have. Unfortunately at the moment, files are your best option. I do understand the annoyance. Aki > On 12/10/2022 13:54 EEST Paul Kudla (SCOM.CA Internet Services Inc.) > wrote: > > > ok thanks for your input > > I finally tracked down the issue > > It was how i was loading the certificates in the first place > > that being said (and i must have missed this) 2.3.18 seems to allow > importing a cert from a program > > thus sni config > > local_name mail.paulkudla.net { >ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes >ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes >ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes > } > > would work instead of file pipes from individual text files. > > > #local_name mail.paulkudla.net { > # ssl_key = # ssl_cert = # ssl_ca = #} > > 2.3.19 apparently no longer supports this? > > aki is there a way to pipe the cert from a program file (as indicated above) > > I am sure you can appreciate generating files for 1000+ ssl certs can > become a nightmare management wise > > either that or a pgsql select ? > > I have gone back to text files in the mean time ? > > > > Happy Wednesday !!! > Thanks - paul > > Paul Kudla > > > Scom.ca Internet Services <http://www.scom.ca> > 004-1009 Byron Street South > Whitby, Ontario - Canada > L1N 4S3 > > Toronto 416.642.7266 > Main 1.866.411.7266 > Fax 1.888.892.7266 > Email p...@scom.ca > > On 10/11/2022 12:46 PM, Jochen Bern wrote: > > > > On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote: > >> ok according to > >> https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html > >> SAN is not a valid option along with CN > > > > ... I don't see that being said in the page you refer to? > > > > Anyhow, "stop giving a CN, use SANs instead" is a rather recent > > development coming from the CA/Browser Forum - and IIUC still not a > > *requirement*, not even for web browsers/servers. I would be surprised > > if OpenSSL (already) were trying to enforce that policy. > > > > Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ? > > > >> $ openssl s_client -connect outlook.office365.com:993 -showcerts | > >> openssl x509 -noout -text > > [...] > >> Subject: C = US, ST = Washington, L = Redmond, O = Microsoft > >> Corporation, CN = outlook.com > > [...] > >> X509v3 Subject Alternative Name: > >> DNS:*.clo.footprintdns.com, DNS:*.hotmail.com, > >> DNS:*.internal.outlook.com, [...] > > > > ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get > > indigestion over. > > > >> Upoin further testing thunderbird seems to be locking onto the primary > >> domain (*.scom.ca) of the server skipp any sni setup ?? > > > > You might want to get a network trace of your Thunderbird talking to the > > server to see what cert actually is presented by the server, and > > ideally, what domain is requested by SNI (if at all). That all happens > > before the connection starts to be encrypted, so you should be able to > > read it (say, with Wireshark) without having to crack any crypto ... > > > > Kind regards,
Re: SNI Config
ok thanks for your input I finally tracked down the issue It was how i was loading the certificates in the first place that being said (and i must have missed this) 2.3.18 seems to allow importing a cert from a program thus sni config local_name mail.paulkudla.net { ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes } would work instead of file pipes from individual text files. #local_name mail.paulkudla.net { # ssl_key =I am sure you can appreciate generating files for 1000+ ssl certs can become a nightmare management wise either that or a pgsql select ? I have gone back to text files in the mean time ? Happy Wednesday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email p...@scom.ca On 10/11/2022 12:46 PM, Jochen Bern wrote: On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote: ok according to https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html SAN is not a valid option along with CN ... I don't see that being said in the page you refer to? Anyhow, "stop giving a CN, use SANs instead" is a rather recent development coming from the CA/Browser Forum - and IIUC still not a *requirement*, not even for web browsers/servers. I would be surprised if OpenSSL (already) were trying to enforce that policy. Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ? $ openssl s_client -connect outlook.office365.com:993 -showcerts | openssl x509 -noout -text [...] Subject: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com [...] X509v3 Subject Alternative Name: DNS:*.clo.footprintdns.com, DNS:*.hotmail.com, DNS:*.internal.outlook.com, [...] ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get indigestion over. Upoin further testing thunderbird seems to be locking onto the primary domain (*.scom.ca) of the server skipp any sni setup ?? You might want to get a network trace of your Thunderbird talking to the server to see what cert actually is presented by the server, and ideally, what domain is requested by SNI (if at all). That all happens before the connection starts to be encrypted, so you should be able to read it (say, with Wireshark) without having to crack any crypto ... Kind regards,