[Maria-discuss] TLS SNI support

Felipe Gasper

2 Sep 2016 2 Sep '16

6:51 a.m.

Hi all, Has support for TLS SNI ever been discussed for MariaDB? This would allow hosting of multiple SSL certificates from the same server. It’s a boon in shared hosting environments. From the client’s end, at least, it would be trivial to implement. Doing it on the server would be trickier, but still pretty doable, I’d think? -Felipe Gasper

Show replies by date

Reindl Harald

2 Sep 2 Sep

10:07 a.m.

Am 02.09.2016 um 06:51 schrieb Felipe Gasper:

...

Has support for TLS SNI ever been discussed for MariaDB?

to achieve what?

...

This would allow hosting of multiple SSL certificates from the same server

nobody is hosting ssl certificates

...

It’s a boon in shared hosting environments

in webhosting environments the different hostnames have differnt document roots aka websites aka as virtual servers in case of a database-server (as also for a mailserver where this crazy idea comes too each year) you have *one* dmaned server, your username and your password - *why* do you need different hostnames for it? to make things much more complex? to have fun with add new clients to that cert? to have fun find out the limit of SAN names over time?

Felipe Gasper

8:40 p.m.

...

On 2 Sep 2016, at 3:07 AM, Reindl Harald wrote:

...
It’s a boon in shared hosting environments

in webhosting environments the different hostnames have differnt document roots aka websites aka as virtual servers

Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh. Dovecot does it much better: you just feed it a hash table of domains and key/certificate files.

...

in case of a database-server (as also for a mailserver where this crazy idea comes too each year) you have *one* dmaned server, your username and your password - *why* do you need different hostnames for it?

As you imply, the greatest use case for SNI is for web hosting. Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain. Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one. -FG

Reinis Rozitis

8:59 p.m.

...

Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.

Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc). Though this out of scope of this mailinglist.

...

Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.

...

Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.

If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest. rr

Felipe Gasper

9:08 p.m.

...

On 2 Sep 2016, at 1:59 PM, Reinis Rozitis wrote:

...
Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.

Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc). Though this out of scope of this mailinglist.

On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.

...

...
Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.

...
Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.

If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.

We’ll still need a client library that “speaks” SNI. I’ll look into haproxy and see what’s what. Thanks! -FG

Reindl Harald

3 Sep 3 Sep

2:28 p.m.

Am 02.09.2016 um 21:08 schrieb Felipe Gasper:

...

...
On 2 Sep 2016, at 1:59 PM, Reinis Rozitis wrote:

...
Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.

Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc). Though this out of scope of this mailinglist.

On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.

so get some proxy in front for TLS offloading and don't bother apache at all with TLS - the difference is that a proxy just has a simple mapping to the origin server and can select the right vertificate based on the SNI handshake dojg the same with httpd would be completly unlogical because it would become a hard to explain break in the way you configure a vhost when you suddenly have things outside <VirtualHost>

...

...
...
Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name

then educate them

...

If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.

so what - works without any issues and at least the last 15 years every human beeing with some brain understood why it make sno sense to brand server names that way if they are shared if someone insists to have such bullshit he may pay me a large amount of money each month to maintain a dedicated server for him or just eat the same lunch hundrets of others are happily eating - and rankly in doubt i don't care for that money because i don't want to maintain useless things

...

...
...
Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.

If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.

We’ll still need a client library that “speaks” SNI.

guess how hard it's needed when within more than a decade nobody implemented it - i would seek for real problem to solve instead constrcut ones like "branding of infrastructure names"

2942

Age (days ago)

2943

Last active (days ago)

List overview

Download

5 comments

3 participants

participants (3)

Felipe Gasper
Reindl Harald
Reinis Rozitis