Discussion:
[asio-users] SNI
Mike Cardwell
2014-03-19 14:34:00 UTC
Permalink
Is there any plan to add TLS Server Name Indication support to Boost ASIO?
Specifically, I want the following capability:

An incoming connection is made to my server. The TLS negotiation begins. I see
which hostname they are requesting by extracting it from the SNI extension
header. I use that information to select which certificate to use for the
remainder of the TLS negotiation. If there is no SNI extension header, I'll just
select a default certificate to use.

This is quite different to the way ASIO currently works, in that the certificate
isn't loaded prior to the connection being made, but is only loaded when we
actually know which one we will need.

The system I am thinking about will have potentially thousands of SSL
certificates all being served from the same IP address, with new certificates
constantly being added and removed from the available pool. I want to load
them as and when they are needed, and cache them as is appropriate for
the application.

Perhaps rather than passing an ssl context to the socket, you would pass a
function that takes the SNI hostname and a new context as an argument and sets
it up there. Something along the lines of the following logic:

bool certificate_exists (const std::string & hostname) {
// Checks file/db to see if we have a certificate associated with this hostname
}

boost::asio::ssl::stream<boost::asio::ip::tcp::socket> socket(io_service,
[](const std::string & hostname, boost::asio::ssl::context & context){

std::string pem_file = hostname.length() == 0 ? "default.pem" // Client lacks SNI support
: certificate_exists(hostname) ? hostname + ".pem"
: "default.pem"; // We don't have a cert for this hostname

context.use_certificate_chain_file(pem_file);
context.use_private_key_file(pem_file, boost::asio::ssl::context::pem);

if (hostname == "example.com") {
context.set_options(....);
}
}
);

Now all modern web browsers support SNI, and IPv4 space is becoming more
difficult to obtain. I think getting good support for SNI in Boost ASIO is
pretty important.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Loading...