LiteSpeed Support Forums
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)
-   Feedback/Feature Requests (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=10)
-   -   TLS Server Name Indication/TLS v1.2 (http://www.litespeedtech.com/support/forum/showthread.php?t=3721)

Xorlev 01-24-2010 11:47 AM
TLS Server Name Indication/TLS v1.2
 
I was wondering the TLS SNI Extension could be added to LSWS for support of SSL name-based virtual hosts. It's a pretty recent thing, but for my sites I end up using a certificate with a subjectAltName. I currently self-sign instead of paying for this as my subjectAltName's change so I end up reissuing every few months. Supporting TLS SNI would help workaround this, most major browsers support TLS SNI.

This would require supporting TLS v1.2 I believe. That wouldn't be a bad thing, TLS v1.0 was barely an upgrade to SSLv3 and TLSv1.1 has been out since 2006, 1.2 out since 2008.

Nothing high priority, but SSL name-based virtual hosting would certainly be a leg up for LSWS.

mistwang 01-25-2010 09:48 AM
Any web server support it?
We use openssl library, so support of TLS 1.2 in openssl first.

Xorlev 01-25-2010 04:26 PM
Apache supports it via mod_gnutls by means of the GnuTLS library. Yassl library supports it too.

IIS7.5 supports it natively.

The issue with waiting on OpenSSL is they're working on projects they're paid to do so, I don't think TLS 1.2 ranks too far up there. 0.9.9 was supposed to have it.

dpward 02-18-2010 08:47 PM
Apache+OpenSSL currently supports SNI
 
OpenSSL added support for SNI in version 0.9.8f (at first an optional feature, then it was enabled by default in 0.9.8k). Apache added support for SNI in 2.2.12: wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
(I would make this a hyperlink, but the board won't let me because my post count is low? :confused:)

SNI (RFC 4366) can be used as an extension to TLS 1.0 and TLS 1.1; the software just has to support the extension (as you said, all modern browsers do, as well as Apache/OpenSSL). SNI is also rolled into TLS 1.2 (RFC 5246) as you mentioned.

My web host uses LiteSpeed, and I would tremendously benefit from having SNI support. Please consider adding it!

andreas 10-04-2010 07:50 AM
Any news on this feature?

mistwang 10-04-2010 08:04 AM
It is in 4.1RC3 build already.

andreas 10-04-2010 08:09 AM
Cool, thanks!

andreas 04-10-2011 03:30 AM
I am using lsws 2.1rc5. How do I configure SNI? I didn't find anything.

mistwang 04-11-2011 08:27 AM
in native configuration or through Apache httpd.conf?
For native configuration, configure a SSL listener with a default certificate, then add certificate for each vhost binds to that SSL listener. there should be SSL tab for vhost configuration.
For Apache vhost, just let multiple secure sites share one IP.

andreas 04-11-2011 08:33 AM
Native config. When I go to the VHost mappings and click "edit", there is an SSL tab, but it just points to the SSL settings of the listener.


All times are GMT -7. The time now is 10:59 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page