ohh, i got it now~
i misunderstood the way that ats implement sni; now i have successfully test the ssl sni. with those config line in ssl_multicert.config: dest_ip=zyq.test.com ssl_cert_name=zyq.crt ssl_key_name=zyq.key dest_ip=zy2.test.com ssl_cert_name=zy2.crt ssl_key_name=zy2.key dest_ip=zy3.test.com ssl_cert_name=zy3.crt ssl_key_name=zy3.key ats able to select the correct certificate to present to the client~ thanks all ^_^ At 2013-03-12 16:07:01,"Uri Shachar" <[email protected]> wrote: >Hi, > > I'm not sure I understand what you are trying to achieve. >If the ATS is acting as a terminating reverse proxy (which is what I guess you >are trying to achieve): >Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT >request), terminating the SSL connection and creating a new SSL connection >upstream. > >It needs to present some certificate to the client. The certificate it selects >can be configured via the ssl_multicert config file -- the one that you have >attached tells the ATS to use a single cert for all origin servers. If you >want it to be able to display the cert for site X then you need to copy the >certificate to the proxy and configure it in the ssl_multicert.config.... >(You also need to ensure that your browser sends SNI information -- All modern >ones do except for IE over Windows XP) > >If this isn't clear, could you send a cURL request/response? > > Cheers, > Uri > >________________________________ >> Date: Tue, 12 Mar 2013 11:22:15 +0800 >> From: [email protected] >> To: [email protected] >> Subject: Re:Re: ssl reverse proxy and ssl sni ? >> >> hi, Leif >> >> it seems does'nt work... following is my test config: >> >> ssl_multicert.config: >> dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem >> >> records.config: >> CONFIG proxy.config.http.server_ports STRING 80 443:ssl >> >> remap.config: >> map https://.*.test.com/ https://$1.test.com/ >> >> with SNI and SSL Termination, i want when browser access >> https://a.test.com, shows the certificate of a.test.com; >> >> but the above configuration , show all the https sites the same >> certificate... >> >> i don't know wheather i misunderstand the sni and ssl termination, or >> the config is not correct~ >> >> >> >> At 2013-03-11 22:19:24, "Leif Hedstrom" <[email protected]> wrote: >> If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4 >> does, for example. >> >> -- Leif >> >> On Mar 11, 2013, at 4:00 AM, Esmq <[email protected]<mailto:[email protected]>> wrote: >> >> hi, all >> >> we know that an extension to TLS called Server Name Indication (SNI) >> ,enable web server to select a correct virtual domain >> and shows the borwser the cerficate containing the correct name... >> >> apache/nginx just do the right thing... >> >> and i know when configure ats as ssl reverse proxy, the cerficated >> shows to the browser is the cerficate that on ats, not the cerficated >> on the original server... >> >> so. when ats act as reverse proxy, does sni work? >> >> >> >>
