similar to: client connection errors: SSL, SNI and DNS_ALT_NAMES Oh My

Hello, I use puppetmaster behind nginx and I have a strange issue. The master can sign the agent but after this, I have an SSL error. If I don''t use nginx, everything work great, no problem with ssl. The nginx configuration and the ssl error are here : http://pastebin.com/nEt5uvN2 Thanks for the help. -- You received this message because you are subscribed to the Google Groups

Hi All, I currently have two puppet masters which are "load balanced" with round robin DNS (one is also the CA). I''m using dns_alt_names to let them each answer to puppet.my.domain.com For the past year this has been fine. Today I''m trying to add a third & while all my Linux clients seem happy with the new arrangement, my smaller number of FreeBSD9 systems fail

I''m trying to split out my certificate authority and have one CA and multiple masters, currently using round robin DNS, possibly using HAproxy later. Got most of the way there but tangled up in names and certificates. When the Puppet CA generated it''s certificate the PTR record for it''s IP pointed back to it''s domain name ("henson") and it had a CNAME

Hello: I''m trying to put a puppet master on an EC2 instance, and have it be accessible to agentes using either its EC2 DNS name (e.g., ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com) or a friendlier alias (e.g., puppet.example.com). My /etc/puppet/puppet.conf looks like: [master] certname=ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com

Good morning, I was wondering what you think about SNI (server name indication) support to OpenSSH? Background: SSH is one of the rare protocols in the data center that cannot be easily load balanced, proxied or made highly available. If the ssh client would indicate to which host it wants to connect to, a proxy or load balancer could easily be implemented. While this is an obvious feature for

> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >> Is there a way to log SNI hostname used in TLS session? Info is there in >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >> ssl_io->host. >> >> Unfortunately I don't see it expanded to any

Is there a way to log SNI hostname used in TLS session? Info is there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to ssl_io->host. Unfortunately I don't see it expanded to any variables ( http://wiki.dovecot.org/Variables ). Please consider this to be a feature request. The goal is to be able to see which hostname client used like: May 30 08:21:19 xxx dovecot:

Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key =

Hi! Everyone, puppet agent is not able to fetch any files, plugins or post catalog, reports to the master. both puppet agent and master are on version 3.0.l, passenger version 3.0.18 , nginx version: nginx/1.3.9 built by gcc 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) TLS SNI support enabled configure arguments: --prefix=/apps/nginx --conf-path=/apps/nginx/nginx.conf

Hello, I'm looking into deploying dovecot as a proxy, currently using perdition. Have been using dovecot on the actual servers for years, nearly a decade. So far just 1.x, but for the proxy it will have to be 2.x (2.1.7 is the current Debian version), as the trigger for this change is the need to support multiple SSL certificates. All that happens on the proxy seems to be handled by the

On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>>

Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name

Hi! I am currently publishing some web services on a Centos 5.3 server on my office using the included apache httpd. They are available from the Internet, and they require validation (username/password). I would like to publish them all under https, so the passwords won't travel unencrypted, but then all my sites use the same certificate on apache httpd. The solution to this is using an

Hi. Looks like every ~2 Years raises someone the question about SNI support in the openssh client. 2015: https://marc.info/?l=openssh-unix-dev&m=143248436518985&w=2 2017: https://marc.info/?l=openssh-unix-dev&m=150204655205911&w=2 I have read the docs and haven't seen anything about that this feature is already available in SSH. https://man.openbsd.org/ssh.1

On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote: > On Thursday 20 of October 2016, Aki Tuomi wrote: >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: >>> On Monday 17 of October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30

Hello, We?re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config: local_name mail.foo.com { ssl_cert = </ssl/domain_tls/*.foo.com/combined ssl_key = </ssl/domain_tls/*.foo.com/combined } There are a couple problems we?re finding with this approach: 1) Dovecot wants to load everything at once, which has some machines taking

> Have you ever considered using ssh's proxy-command for this? > I have a similar setup, works great for me. I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to register their host identifier

Hey Jochen, Jochen Bern <Jochen.Bern at binect.de> writes: > On 01/13/2020 11:10 AM, Nico Schottelius wrote: >> The problem I am trying to solve is: there are thousands of users on >> IPv4 only networks who I cannot all communicate with. And they need to >> access resources on IPv6 only systems. >> >> The typical jump host / proxy command approach surely

Hello, is Apache 2.2 which is part of the CentOS distribution capable of SNI? I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update' in /etc/httpd/conf/httpd.conf I've the following NameVirtualHost ipaddr:443 Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf both

>>> >>> Great! Seems to be working fine for my usage and makes my configs 50% >>> smaller (which is gigantic improvement). Will do more testing though. >>> >>> Thanks! >>> >>> A little bit offtopic, but what is the point of using imap/pop SNI? All clients want to connect to their own domain or what? -- Kaspars