EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL Server Name Indication

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#18535
Posted: 12/20/2011 10:11:18
by tyler brinks (Basic support level)
Joined: 12/20/2011
Posts: 2

Can someone please help me understand which classes are necessary to host an HTTPS server that makes use of Server Name Indication?

As I understand the topic, SNI allows multiple SSL-enabled sites to be hosted from the same IP address (much like how HTTP HOST headers work).

I need to set up an HTTPS server with several certificates for different sites all on the same IP address on port 443.

What classes are necessary to tell the EldoS libraries which certificate to use for a given host?

Thanks!!
#18536
Posted: 12/20/2011 10:31:36
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

The principal moment that should be taken into account when considering the use of the server name indication approach is that this feature *must* be supported by the client in order for the things to work. If the client does not support this TLS protocol extension, the server will have to wait for the HTTP response to arrive, and optionally initiate a re-negotiation.

The feature itself is supported by all server-side SSL/TLS-capable SecureBlackbox components. At first glance the most suitable component for your task is TElHTTPSServer. To get the host name obtained from the client via the server name indication extension (if any), please do the following:
- handle the TElHTTPSServer.OnExtensionsReceived event,
- check if the TElHTTPSServer.SSLPeerExtensions.ServerName.Enabled property is set to true (if it is, the extension has been provided by the client),
- get the desired host name from the TElHTTPSServer.SSLPeerExtensions.ServerName.Name property.

Once you have the host name, you can put the appropriate certificate(s) to the certificate storage object bound to the server's CertStorage property. Please note that all the manipulations with CertStorage should be performed from within the OnExtensionsReceived event handler.
#18540
Posted: 12/20/2011 20:51:32
by tyler brinks (Basic support level)
Joined: 12/20/2011
Posts: 2

Quote
Innokentiy Ivanov wrote:
To get the host name obtained from the client via the server name indication extension (if any), please do the following:
- handle the TElHTTPSServer.OnExtensionsReceived event,
- check if the TElHTTPSServer.SSLPeerExtensions.ServerName.Enabled property is set to true (if it is, the extension has been provided by the client),
- get the desired host name from the TElHTTPSServer.SSLPeerExtensions.ServerName.Name property.

Once you have the host name, you can put the appropriate certificate(s) to the certificate storage object bound to the server's CertStorage property. Please note that all the manipulations with CertStorage should be performed from within the OnExtensionsReceived event handler.


So far I'm using the ElServerSSLSocket (still interogating the PeerExtensions.ServerName property). I'm using the SSLSocketDemo for reference, and I'm using the asynchronous option.

Given the socket is asynchronous, is it safe to Clear() the CertStore and add the certificate for a given host? Will doing so affect other asynchronous requests coming in at the same time?

I need to be asynchronous and with as much availability as possible, and I need to serve different certificates simultaneously.

Whats the best approach?
#18541
Posted: 12/21/2011 04:30:30
by Ken Ivanov (EldoS Corp.)

Quote
Given the socket is asynchronous, is it safe to Clear() the CertStore and add the certificate for a given host? Will doing so affect other asynchronous requests coming in at the same time?

The question is quite relevant. Under the above conditions, the correct solution for you would be creating an independent TElMemoryCertStorage object for every other accepted connection, and substituting the "default" storage object (assigned to the listening socket) inside the OnExtensionsReceived event handler. This approach will make your application safe with regard to negotiations running in parallel.

Reply

Statistics

Topic viewed 1162 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!