[Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication

[Rob Crittenden]

James Hogarth wrote:
>> I'll try and replicate the blog findings in the course of the next couple of
>> days .... if it works I'll add it to the wiki ...
>>
>
> Set up a test this morning using Centos 6:
> nss-3.13.1-7.el6_2.x86_64
> mod_nss-1.0.8-14.el6_2.x86_64
>
> The behaviour was... odd....
>
> SNI itself must have been working as the contents differed depending
> on the domain which matched the expectation from the two virtual hosts
> however there appears to remain certificate selection issues and/or
> issues with respect to the the behaviour of the NSS options - only the
> last NSSCertificateDatabase seemed to apply rather than be local to a
> given VirtualHost (if separating certificate databases) and if in a
> common database although Apache reported different nicknamed
> certificates in error_log only the first NSSNickname seemed to be used
> to obtain the correct certificate...
>
> Set up a similar test on Fedora 17:
> nss-3.13.4-3.fc17.x86_64
> mod_nss-1.0.8-17.fc17.x86_64
>
> Same behaviour occurred (not that surprising given the versions)....
>
> So the short of it is ignore that blog and Rob is right - mod_nss is
> not ready yet... if you want SNI  you need mod_ssl (or mod_gnutls)...
> if you have FIPS etc requirements or other reasons to use mod_nss then
> SNI is not at this time possible if you want valid certificates in
> place...
>

Only one nss database may be opened at a time. mod_nss should probably 
error out if multiple are defined to prevent confusion.

I'd think a nickname should be unique to a given VirtualServer. If not 
then it's a bug.

rob