search for: sni

...=SSLv2/v3 read server hello A: (null) when hitting the newly deployed server. If I give the specific host name as the --server argument (rather than the alternative name that get the round robin dns) puppet agent connects runs properly. I''ve tracked this down to the FreeBSD client using SNI where as the Linux clients do not and the older servers don''t support SNI so it is ignored. All server are using apache mod_ssl and passenger, but I''m not sure how to proceed. I could generate a "puppet.my.domain.com" certificate, distribute it to all the servers and s...

> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >> Is there a way to log SNI hostname used in TLS session? Info is there in >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >> ssl_io->host. >> >> Unfortunately I don't see it expanded to any variables ( >> http://wiki.dovecot.org/Variables ). Please consider this to be a f...

...h has virtual server capability that *demands* a different certificate for each virtual server. How can that be I thought? This is what Cherokee documentation says: <QUOTE> SSL Virtual Hosts You might have been told elsewhere that named virtual hosts in SSL cannot be supported without SNI (Server Name Indication) because a web server cannot see the hostname header when the SSL request is being processed. Technically this might have been correct in the past. The first thing that the server has to do is to connect with the other end by using SSL/TLS. The user entered host part of...

Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/...

Good morning, I was wondering what you think about SNI (server name indication) support to OpenSSH? Background: SSH is one of the rare protocols in the data center that cannot be easily load balanced, proxied or made highly available. If the ssh client would indicate to which host it wants to connect to, a proxy or load balancer could easily be imple...

...:16, Arkadiusz Mi?kiewicz wrote: > On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >>>> ssl_io->host. >>>> >>>> Unfortunately I don't see it expanded to any variables ( >>>> http://wiki.dovecot.org/Vari...

Is there a way to log SNI hostname used in TLS session? Info is there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to ssl_io->host. Unfortunately I don't see it expanded to any variables ( http://wiki.dovecot.org/Variables ). Please consider this to be a feature request. The goal is to be able to...

...##### ## # ## ## ## ## ### ## ##### . ## ## . ###### . Secure Networks Inc. Security Advisory October 21, 1997 SNI-19.BSD.lpd.vulnerabilities update This is an update to the advisory SNI-19.BSD.lpd.vulnerabilities which was released on October 2, 1997. Issue 1 ~~~~~~~ A problem was pointed out in the recommended fixes by Matt Power <mhpower@MIT.EDU>, which would still allow an attacker using the recom...

FYI? dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI.?As you are using version 2.2.27 you might encounter the same behaviour. If the client won't send SNI, my server randomly answers with any cert instead of?the default cert,? --Perhaps dovecot just utilises the last used cert? One speciality?of my certs is, that both share the same Common Name (...

...rote: > >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> > >>>>> wrote: > >>>>> > >>>>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >>>>>> Is there a way to log SNI hostname used in TLS session? Info is > >>>>>> there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it > >>>>>> to ssl_io->host. > >>>>>> > >>>>>> Unfortunately I don't see it expanded to any vari...

...October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>>>> Is there a way to log SNI hostname used in TLS session? Info is there >>>>>> in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >>>>>> ssl_io->host. >>>>>> >>>>>> Unfortunately I don't see it expanded to any variables ( >>>&...

...he settings in service-imap-login and service pop-login. In particular mail_max_userip_connections never is looked at on the proxy as this check happens in the respective protocol AFTER login, rite? I presume to best support all(?) clients out there is to have "local_name" sections for SNI first and then "local" sections for IP address based certs. It is my understanding that SNI needs to be requested by the client, so aside from client bugs (nah, those don't exist ^o^) every client should get an appropriate response for TLS. Has anybody done a setup like that already?...

Hello, We?re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config: local_name mail.foo.com { ssl_cert = </ssl/domain_tls/*.foo.com/combined ssl_key = </ssl/domain_tls/*.foo.com/combined } There are a couple problems we?re finding with this approach: 1) Dovecot wa...

Hi. Looks like every ~2 Years raises someone the question about SNI support in the openssh client. 2015: https://marc.info/?l=openssh-unix-dev&m=143248436518985&w=2 2017: https://marc.info/?l=openssh-unix-dev&m=150204655205911&w=2 I have read the docs and haven't seen anything about that this feature is already available in SSH. https://man.o...

Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot....

...available from the Internet, and they require validation (username/password). I would like to publish them all under https, so the passwords won't travel unencrypted, but then all my sites use the same certificate on apache httpd. The solution to this is using an httpd server that supports SNI: <http://en.wikipedia.org/wiki/Server_Name_Indication> however, the httpd included in Centos does not have this feature. Question is: have anybody made httpd RPMs for CentOS supporting this feature? (according to the link, httpd supports this since 2.2.11) or maybe they can be requested o...

On Monday 17 of October 2016, KT Walrus wrote: > > On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >> Is there a way to log SNI hostname used in TLS session? Info is there in > >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to > >> ssl_io->host. > >> > >> Unfortunately I don't see it expanded to any variables ( > >> http://wiki.dovecot.org/Variables ). Pleas...

...n Monday 17 of October 2016, KT Walrus wrote: > >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> > >>> wrote: > >>> > >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >>>> Is there a way to log SNI hostname used in TLS session? Info is there > >>>> in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to > >>>> ssl_io->host. > >>>> > >>>> Unfortunately I don't see it expanded to any variables ( > >>>> ht...

Hi, I have a problem with library (rpart) (and/or library(tree)). I use a data.frame with variables "pnV22" (observation: 1, 0 or yes, no) "JTemp" (mean temperature) "SNied" (summer rain) I used function "rpart" to build a model: library(rpart) attach(data.frame) result <- rpart(pnV22 ~ JTemp + SNied) I got the following tree: n=55518 (50 observations deleted due to missingness) node), split, n, deviance, yval * denotes terminal...

Hey Thorsten, Thorsten Glaser <t.glaser at tarent.de> writes: > On Sun, 12 Jan 2020, Nico Schottelius wrote: > >> I was wondering what you think about SNI (server name indication) >> support to OpenSSH? > > Oh, please absolutely not. SNI is a privacy violation in HTTP, and > otherwise just a poor excuse to continue running NAT and/or IPv4. you might have misunderstood me. The purpose of my request was to enable transition towards IPv6...