Multiple Certs and Keys

Yick Xie yick.xie at gmail.com
Mon May 9 15:14:06 PDT 2016


I tested and it did not work. Still the first one in the order would
be delivered, the case is the same as IP cert.

ONE cert was issued with dns_name="xxx.com";
TWO cert was issued with dns_name="vpn.yyy.net".

The gnutls is 3.3.18, some more configuration to enable SNI? How to
verify my environment? Perhaps due to some other outdated libs? Tested
using commit e142202583fff93ae3ece6b0163e90f371d84b71 (Date: Tue Apr
26 21:46:00 2016 +0200)

Regards,
Yick

2016-05-09 19:51 GMT+08:00 Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com>:
> On Thu, May 5, 2016 at 3:12 PM, Yick Xie <yick.xie at gmail.com> wrote:
>> Hello Nikos,
>>
>> A little confused about it. Since even I self-signed the another CNAME
>> domain, I still cannot get rid of the risk of domain resolution,
>> right? Can ocserv tell apart via CN(common name) and deliver the cert
>> according to IP-visit or domain-visit?
>
> ocserv can distinguish certificates to send based on SNI. If you setup
> ocserv with two certificates, one for xxx.com and the other for
> yyy.com, the clients which advertise one of the two DNS names should
> be served the corresponding certificates.
>
> For example for your self signed certificate you could issue it for the:
> self-signed.mydomain.com
> while the CA issued one as
> ca-issued.mydomain.com
>
> You should set these as the dns_name field.
>
> Then users connecting to self-signed.mydomain.com will be served the
> self signed one, while the other domain will be served the ca issued
> one.
>
> regards,
> Nikos



More information about the openconnect-devel mailing list