Multiple SSL certs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Multiple SSL certs

Alexandre de Arruda Paes
Hi,

Can I have multiple SSL certs in ASSP? 


Best regards,

Alexandre

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Thomas Eckardt/eck
You may try the following:

Call to Configure SSL-Listener-Parameters for GUI Connections <a href="javascript:void(0);">(SSLWEBConfigure)<a href="javascript:void(0);">  •
CorrectASSPcfg::configWebSSL 
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
    $parms = shift;
    $parms->{timeout} = 10;
    $parms->{'SSL_check_crl'} = 1;
    $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
    return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
    $parms = shift;
    $parms->{SSL_cert_file} = {
        "foo.example.org" => "/path_to_file/foo-cert.pem",
        "bar.example.org" => "/path_to_file/bar-cert.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-cert.pem",
    }
    $parms->{SSL_key_file} = {
        "foo.example.org" => "/path_to_file/foo-key.pem",
        "bar.example.org" => "/path_to_file/bar-key.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-key.pem",
    }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas





Von:        Alexandre de Arruda Paes <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        20.06.2017 21:48
Betreff:        [Assp-user] Multiple SSL certs




Hi,

Can I have multiple SSL certs in ASSP? 

i.e.: mail.domain1.com, mail.domain2.com

Best regards,

Alexandre------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Ethical Host - John MacKenzie

Hi Thomas

 

That is interesting would this also work with multi domain certificates where there is only 1 certificate file but multiple domains allowed by the certificate?

 

Thanks

John

 

From: Thomas Eckardt [mailto:[hidden email]]
Sent: June-21-17 9:27 AM
To: For Users of ASSP
Subject: Re: [Assp-user] Multiple SSL certs

 

You may try the following:

Call to Configure SSL-Listener-Parameters for GUI Connections <a href="javascript:void(0);">(SSLWEBConfigure)<a href="javascript:void(0);">  •
CorrectASSPcfg::configWebSSL 
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
    $parms = shift;
    $parms->{timeout} = 10;
    $parms->{'SSL_check_crl'} = 1;
    $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
    return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
    $parms = shift;
    $parms->{SSL_cert_file} = {
        "foo.example.org" => "/path_to_file/foo-cert.pem",
        "bar.example.org" => "/path_to_file/bar-cert.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-cert.pem",
    }
    $parms->{SSL_key_file} = {
        "foo.example.org" => "/path_to_file/foo-key.pem",
        "bar.example.org" => "/path_to_file/bar-key.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-key.pem",
    }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas





Von:        Alexandre de Arruda Paes <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        20.06.2017 21:48
Betreff:        [Assp-user] Multiple SSL certs





Hi,

Can I have multiple SSL certs in ASSP? 

i.e.: mail.domain1.com, mail.domain2.com

Best regards,

Alexandre------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Thomas Eckardt/eck
IMHO yes - but please read the documentation of IO::Socket::SSL

Thomas




Von:        "Ethical Host - John MacKenzie" <[hidden email]>
An:        "'For Users of ASSP'" <[hidden email]>
Datum:        21.06.2017 15:37
Betreff:        Re: [Assp-user] Multiple SSL certs




Hi Thomas
 
That is interesting would this also work with multi domain certificates where there is only 1 certificate file but multiple domains allowed by the certificate?
 
Thanks
John
 
From: Thomas Eckardt [mailto:Thomas.Eckardt@...]
Sent:
June-21-17 9:27 AM
To:
For Users of ASSP
Subject:
Re: [Assp-user] Multiple SSL certs

 
You may try the following:

Call to Configure SSL-Listener-Parameters for GUI Connections
<a href="javascript:void(0);">(SSLWEBConfigure)<a href="javascript:void(0);">  •
CorrectASSPcfg::configWebSSL
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
   $parms = shift;
   $parms->{timeout} = 10;
   $parms->{'SSL_check_crl'} = 1;
   $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
   return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
   $parms = shift;
   $parms->{SSL_cert_file} = {
       "foo.example.org" => "/path_to_file/foo-cert.pem",
       "bar.example.org" => "/path_to_file/bar-cert.pem",
       # used when nothing matches or client does not support SNI
       "" => "/path_to_file/server-cert.pem",
   }
   $parms->{SSL_key_file} = {
       "foo.example.org" => "/path_to_file/foo-key.pem",
       "bar.example.org" => "/path_to_file/bar-key.pem",
       # used when nothing matches or client does not support SNI
       "" => "/path_to_file/server-key.pem",
   }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas





Von:        
Alexandre de Arruda Paes <adaldeia@...>
An:        
For Users of ASSP <[hidden email]>
Datum:        
20.06.2017 21:48
Betreff:        
[Assp-user] Multiple SSL certs





Hi,

Can I have multiple SSL certs in ASSP?  

i.e.:
mail.domain1.com, mail.domain2.com

Best regards,

Alexandre
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Alexandre de Arruda Paes
In reply to this post by Thomas Eckardt/eck
Thomas,

But I'm want to use this with STARTTLS with doTLS on. It's possible ?



2017-06-21 10:26 GMT-03:00 Thomas Eckardt <[hidden email]>:
You may try the following:

Call to Configure SSL-Listener-Parameters for GUI Connections (SSLWEBConfigure)  •
CorrectASSPcfg::configWebSSL 
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
    $parms = shift;
    $parms->{timeout} = 10;
    $parms->{'SSL_check_crl'} = 1;
    $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
    return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
    $parms = shift;
    $parms->{SSL_cert_file} = {
        "foo.example.org" => "/path_to_file/foo-cert.pem",
        "bar.example.org" => "/path_to_file/bar-cert.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-cert.pem",
    }
    $parms->{SSL_key_file} = {
        "foo.example.org" => "/path_to_file/foo-key.pem",
        "bar.example.org" => "/path_to_file/bar-key.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-key.pem",
    }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas





Von:        Alexandre de Arruda Paes <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        20.06.2017 21:48
Betreff:        [Assp-user] Multiple SSL certs




Hi,

Can I have multiple SSL certs in ASSP? 

i.e.: mail.domain1.com, mail.domain2.com

Best regards,

Alexandre------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Thomas Eckardt/eck
>But I'm want to use this with STARTTLS with doTLS on. It's possible ?

This does not make any sense to me. And no - this is currently not possible.

Thomas





Von:        Alexandre de Arruda Paes <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        21.06.2017 17:50
Betreff:        Re: [Assp-user] Multiple SSL certs




Thomas,

But I'm want to use this with STARTTLS with doTLS on. It's possible ?



2017-06-21 10:26 GMT-03:00 Thomas Eckardt <Thomas.Eckardt@...>:
You may try the following:

Call to Configure SSL-Listener-Parameters for GUI Connections 
(SSLWEBConfigure)  •
CorrectASSPcfg::configWebSSL 
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
    $parms = shift;
    $parms->{timeout} = 10;
    $parms->{'SSL_check_crl'} = 1;
    $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
    return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
    $parms = shift;
    $parms->{SSL_cert_file} = {
        "
foo.example.org" => "/path_to_file/foo-cert.pem",
        "
bar.example.org" => "/path_to_file/bar-cert.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-cert.pem",
    }
    $parms->{SSL_key_file} = {
        "
foo.example.org" => "/path_to_file/foo-key.pem",
        "
bar.example.org" => "/path_to_file/bar-key.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-key.pem",
    }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas





Von:        
Alexandre de Arruda Paes <adaldeia@...>
An:        
For Users of ASSP <[hidden email]>
Datum:        
20.06.2017 21:48
Betreff:        
[Assp-user] Multiple SSL certs





Hi,

Can I have multiple SSL certs in ASSP? 

i.e.:
mail.domain1.com, mail.domain2.com

Best regards,

Alexandre------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Thomas Eckardt/eck
In reply to this post by Alexandre de Arruda Paes
The latest development version 2.5.6 build 17172 available at http://assp.cvs.sourceforge.net/viewvc/assp/assp2/ will support iSNI also for TLS connections.

Thomas





Von:        Alexandre de Arruda Paes <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        21.06.2017 17:50
Betreff:        Re: [Assp-user] Multiple SSL certs




Thomas,

But I'm want to use this with STARTTLS with doTLS on. It's possible ?



2017-06-21 10:26 GMT-03:00 Thomas Eckardt <Thomas.Eckardt@...>:
You may try the following:

Call to Configure SSL-Listener-Parameters for GUI Connections 
(SSLWEBConfigure)  •
CorrectASSPcfg::configWebSSL 
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
    $parms = shift;
    $parms->{timeout} = 10;
    $parms->{'SSL_check_crl'} = 1;
    $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
    return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
    $parms = shift;
    $parms->{SSL_cert_file} = {
        "
foo.example.org" => "/path_to_file/foo-cert.pem",
        "
bar.example.org" => "/path_to_file/bar-cert.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-cert.pem",
    }
    $parms->{SSL_key_file} = {
        "
foo.example.org" => "/path_to_file/foo-key.pem",
        "
bar.example.org" => "/path_to_file/bar-key.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-key.pem",
    }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas





Von:        
Alexandre de Arruda Paes <adaldeia@...>
An:        
For Users of ASSP <[hidden email]>
Datum:        
20.06.2017 21:48
Betreff:        
[Assp-user] Multiple SSL certs





Hi,

Can I have multiple SSL certs in ASSP? 

i.e.:
mail.domain1.com, mail.domain2.com

Best regards,

Alexandre------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Thomas Eckardt/eck
In reply to this post by Alexandre de Arruda Paes
Better use the latest development test version 2.5.6 build 17173 available at http://assp.cvs.sourceforge.net/viewvc/assp/assp2/test/ .
It contains a small but very important fix for SNI.

Thomas






Von:        Thomas Eckardt <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        22.06.2017 06:44
Betreff:        Re: [Assp-user] Multiple SSL certs




The latest development version 2.5.6 build 17172 available at http://assp.cvs.sourceforge.net/viewvc/assp/assp2/ will support iSNI also for TLS connections.

Thomas





Von:        
Alexandre de Arruda Paes <[hidden email]>
An:        
For Users of ASSP <[hidden email]>
Datum:        
21.06.2017 17:50
Betreff:        
Re: [Assp-user] Multiple SSL certs




Thomas,

But I'm want to use this with STARTTLS with doTLS on. It's possible ?



2017-06-21 10:26 GMT-03:00 Thomas Eckardt <
Thomas.Eckardt@...>:
You may try the following:


Call to Configure SSL-Listener-Parameters for GUI Connections
(SSLWEBConfigure)  •
CorrectASSPcfg::configWebSSL
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
   $parms = shift;
   $parms->{timeout} = 10;
   $parms->{'SSL_check_crl'} = 1;
   $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
   return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
   $parms = shift;
   $parms->{SSL_cert_file} = {
       "
foo.example.org" => "/path_to_file/foo-cert.pem",
       "
bar.example.org" => "/path_to_file/bar-cert.pem",
       # used when nothing matches or client does not support SNI
       "" => "/path_to_file/server-cert.pem",
   }
   $parms->{SSL_key_file} = {
       "
foo.example.org" => "/path_to_file/foo-key.pem",
       "
bar.example.org" => "/path_to_file/bar-key.pem",
       # used when nothing matches or client does not support SNI
       "" => "/path_to_file/server-key.pem",
   }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas






Von:        
Alexandre de Arruda Paes <adaldeia@...>
An:        
For Users of ASSP <[hidden email]>
Datum:        
20.06.2017 21:48
Betreff:        
[Assp-user] Multiple SSL certs





Hi,

Can I have multiple SSL certs in ASSP?  

i.e.:
mail.domain1.com, mail.domain2.com

Best regards,

Alexandre
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]

https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple SSL certs

Alexandre de Arruda Paes
In reply to this post by Thomas Eckardt/eck
Hi Thomas,

Some our ASSP instalations have more than one customer with multiple domains:


And the customers uses 587 to submit e-mail and assp collect whitelists, not spam, etc.

Best regards,

Alexandre



2017-06-21 13:08 GMT-03:00 Thomas Eckardt <[hidden email]>:
>But I'm want to use this with STARTTLS with doTLS on. It's possible ?

This does not make any sense to me. And no - this is currently not possible.

Thomas





Von:        Alexandre de Arruda Paes <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        21.06.2017 17:50
Betreff:        Re: [Assp-user] Multiple SSL certs




Thomas,

But I'm want to use this with STARTTLS with doTLS on. It's possible ?



2017-06-21 10:26 GMT-03:00 Thomas Eckardt <[hidden email]>:
You may try the following:

Call to Configure SSL-Listener-Parameters for GUI Connections 
(SSLWEBConfigure)  •
CorrectASSPcfg::configWebSSL 
If used, assp will call the defined subroutine in an eval closure submitting a reference to the assp predefined SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the documentation of IO::Socket::SSL, Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your code. For example

sub configWebSSL {
    $parms = shift;
    $parms->{timeout} = 10;
    $parms->{'SSL_check_crl'} = 1;
    $parms->{'SSL_crl_file'} = '/assp/certs/crl/crllist.pem';
    return;
}

If the SSL listener should be able to use different certificates on the same IP address, depending on the name given by SNI, you can use a hash reference instead of a file with hostname => cert_file.

In case certs and keys are needed but not given it might fall back.

sub configWebSSL {
    $parms = shift;
    $parms->{SSL_cert_file} = {
        "
foo.example.org" => "/path_to_file/foo-cert.pem",
        "
bar.example.org" => "/path_to_file/bar-cert.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-cert.pem",
    }
    $parms->{SSL_key_file} = {
        "
foo.example.org" => "/path_to_file/foo-key.pem",
        "
bar.example.org" => "/path_to_file/bar-key.pem",
        # used when nothing matches or client does not support SNI
        "" => "/path_to_file/server-key.pem",
    }
}

Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will possibly not work if you use any self signed certificate!



Thomas





Von:        
Alexandre de Arruda Paes <[hidden email]>
An:        
For Users of ASSP <[hidden email]>
Datum:        
20.06.2017 21:48
Betreff:        
[Assp-user] Multiple SSL certs





Hi,

Can I have multiple SSL certs in ASSP? 

i.e.:
mail.domain1.com, mail.domain2.com

Best regards,

Alexandre------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Loading...