[Proftpd-user] ProFTPd and SNI

Discussion:

Felipe Gasper

2017-04-04 13:32:40 UTC

Hello,

Am I correct in thinking that ProFTPd has tied its SNI support to virtual hosting, rather than the Dovecot/Exim approach of simply allowing a name-based lookup of hostname to certificate?

Thank you!

-FG

TJ Saunders

2017-04-04 14:33:36 UTC

Permalink

Post by Felipe Gasper
Am I correct in thinking that ProFTPd has tied its SNI support to virtual hosting,
rather than the Dovecot/Exim approach of simply allowing a name-based lookup of hostname
to certificate?

How do you mean? Are you asking what the relationship is, in ProFTPD,
between SNI and the HOST command? Or how ProFTPD validates any SNI? Or
something else?

Cheers,
TJ

Felipe Gasper

2017-04-04 14:40:39 UTC

Permalink

Post by TJ Saunders

How do you mean? Are you asking what the relationship is, in ProFTPD,
between SNI and the HOST command? Or how ProFTPD validates any SNI? Or
something else?

I’m just learning how ProFTPd does SNI and was hoping I could just do:

TLSRSACertificateFile /var/ssl/%{env:TLS_SERVER_NAME}/combined

(… given that my server’s SSL certs are in such a filesystem structure)

This is how Exim’s SNI support works, and it’s beautiful. :)

mod_tls, though, doesn’t seem to parse such environment variables?

On a server that hosts thousands of domains, I’d really rather not have to create a separate FTP vhost for each domain that maintains TLS on the machine … but it looks like that’s how ProFTPd expects me to do it?

-FG

Felipe Gasper

2017-04-04 14:58:50 UTC

Permalink

Post by TJ Saunders

How do you mean? Are you asking what the relationship is, in ProFTPD,
between SNI and the HOST command? Or how ProFTPD validates any SNI? Or
something else?

In other words, is it possible *just* to support SNI (as exim does) without having to do virtual hosting? We already use AuthUserFile to put FTP users into the correct home directory, etc.; all we want now is to support SNI.

-FG

Matus UHLAR - fantomas

2017-04-05 12:34:24 UTC

Permalink

Post by Felipe Gasper
In other words, is it possible *just* to support SNI (as exim does) without
having to do virtual hosting? We already use AuthUserFile to put FTP
users into the correct home directory, etc.; all we want now is to support
SNI.

there should be no reason for that - if you have multiple names but only use
one host, you can use single certificate with multiple names.

--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Felipe Gasper

2017-04-05 12:39:18 UTC

Permalink

Post by Matus UHLAR - fantomas

there should be no reason for that - if you have multiple names but only use
one host, you can use single certificate with multiple names.

Not if you have thousands of users, and especially if each user maintains their domains’ SSL separately.

-FG

TJ Saunders

2017-04-05 16:33:29 UTC

Permalink

Post by Felipe Gasper

Post by Matus UHLAR - fantomas

there should be no reason for that - if you have multiple names but only use
one host, you can use single certificate with multiple names.

Not if you have thousands of users, and especially if each user maintains
their domains’ SSL separately.

I've filed a ticket for this feature, for the mod_autohost module:

https://github.com/Castaglia/proftpd-mod_autohost/issues/5

Cheers,
TJ