Re: [Maria-discuss] TLS SNI support

On 2 Sep 2016, at 1:59 PM, Reinis Rozitis wrote:

...

Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.

Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc). Though this out of scope of this mailinglist.

On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.

...

Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.

...

Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.

If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.

We’ll still need a client library that “speaks” SNI. I’ll look into haproxy and see what’s what. Thanks! -FG