[stunnel-users] PATCH: multiple SNI options per slave section
dsowen at fugue88.ws
Fri Sep 27 22:00:31 CEST 2013
Hello and thank you for stunnel! After switching from my web-server's
built-in SSL support, I now have a much more secure system and SNI,
In stunnel(8), I read this about the sni option:
"sni option can also be specified more than once within a single slave
However, I couldn't get it to work, and reading the source code
verified that only one sni option is tracked per section.
So, I present my patch to allow multiple sni options. It enables
configurations like these:
sni = https:a.example.org
sni = https:b.example.org
sni = https:c.example.org
sni = https:d.example.org
If you have a naming scheme that doesn't lend itself to the wildcard
matching already supported, this can cut your config size quite a bit.
The sni option for any section was originally tracked in the
section->sni member (a string). Now, a linked-list of sni options is
added to the section structure, with every sni option being appended
to the end.
For server setup, each slave section walks over its list, splitting
each sni option and adding that slave section to the master's slave
list. Splitting options and adding slaves to masters works as before,
but now the slave section iterates over a list instead of referencing
a single string.
For client setup, each slave section checks that it has either no sni
options, or exactly one. Multiple sni options results in an error.
If exactly one option is found, it is copied to the old sni field of
the section struct. The old sni field has been renamed to
servername_to_request, as it is now used only in client mode, and this
makes its purpose more clear. When no sni option is found,
servername_to_request is initialized from the protocolHost or connect
options, as before.
I hope this patch is useful to others. Please let me know how I can
make it acceptable for inclusing in the stunnel distribution.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 8117 bytes
More information about the stunnel-users