Hi all, Has support for TLS SNI ever been discussed for MariaDB? This would allow hosting of multiple SSL certificates from the same server. It’s a boon in shared hosting environments. From the client’s end, at least, it would be trivial to implement. Doing it on the server would be trickier, but still pretty doable, I’d think? -Felipe Gasper
Am 02.09.2016 um 06:51 schrieb Felipe Gasper:
Has support for TLS SNI ever been discussed for MariaDB?
to achieve what?
This would allow hosting of multiple SSL certificates from the same server
nobody is hosting ssl certificates
It’s a boon in shared hosting environments
in webhosting environments the different hostnames have differnt document roots aka websites aka as virtual servers in case of a database-server (as also for a mailserver where this crazy idea comes too each year) you have *one* dmaned server, your username and your password - *why* do you need different hostnames for it? to make things much more complex? to have fun with add new clients to that cert? to have fun find out the limit of SAN names over time?
On 2 Sep 2016, at 3:07 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
It’s a boon in shared hosting environments
in webhosting environments the different hostnames have differnt document roots aka websites aka as virtual servers
Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh. Dovecot does it much better: you just feed it a hash table of domains and key/certificate files.
in case of a database-server (as also for a mailserver where this crazy idea comes too each year) you have *one* dmaned server, your username and your password - *why* do you need different hostnames for it?
As you imply, the greatest use case for SNI is for web hosting. Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain. Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one. -FG
Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.
Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc). Though this out of scope of this mailinglist.
Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.
Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.
If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest. rr
On 2 Sep 2016, at 1:59 PM, Reinis Rozitis <r@roze.lv> wrote:
Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.
Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc). Though this out of scope of this mailinglist.
On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.
Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name. If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.
Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.
If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.
We’ll still need a client library that “speaks” SNI. I’ll look into haproxy and see what’s what. Thanks! -FG
Am 02.09.2016 um 21:08 schrieb Felipe Gasper:
On 2 Sep 2016, at 1:59 PM, Reinis Rozitis <r@roze.lv> wrote:
Actually, that’s a big annoyance with Apache, that the configuration expects every virtual host to have the same SSL certificate. So if your vhost has 5 domains, you need a single certificate with 5 domains. Bleh.
Well you just make 5 vhosts with each having it’s own certificate definition but everything else common (like use include etc). Though this out of scope of this mailinglist.
On a site that hosts tens of thousands of domains that becomes inefficient very quickly. But, as you say, off-topic.
so get some proxy in front for TLS offloading and don't bother apache at all with TLS - the difference is that a proxy just has a simple mapping to the origin server and can select the right vertificate based on the SNI handshake dojg the same with httpd would be completly unlogical because it would become a hard to explain break in the way you configure a vhost when you suddenly have things outside <VirtualHost>
Mail is less useful but still relevant: domain owners want to brand all of their services with their domain name
then educate them
If I’m setting up “felipes-stuff.com” and have employees go to “hals-hosting.net” for mail, that’s not as “branded” of an experience as if everything used the same domain.
so what - works without any issues and at least the last 15 years every human beeing with some brain understood why it make sno sense to brand server names that way if they are shared if someone insists to have such bullshit he may pay me a large amount of money each month to maintain a dedicated server for him or just eat the same lunch hundrets of others are happily eating - and rankly in doubt i don't care for that money because i don't want to maintain useless things
Database access is similar. There is still a use case for SNI here, even if it’s not the most apparent one.
If you really want to "brand" your single Mysql instance by having multiple SSL certicates (as the previous person said - I don't see a very valid reason either) you can plug a SSL offloader like haproxy between in TCP mode. Then just simply provide a directory of all the *.pem certificates and haproxy will do the rest.
We’ll still need a client library that “speaks” SNI.
guess how hard it's needed when within more than a decade nobody implemented it - i would seek for real problem to solve instead constrcut ones like "branding of infrastructure names"
participants (3)
-
Felipe Gasper -
Reindl Harald -
Reinis Rozitis