implementing SNI

freebsd at johnea.net freebsd at johnea.net
Tue Aug 24 20:15:03 UTC 2010


Hello out there,

Implementing the SNI extension, to permit encrypted virtual web domain service, seems to be spreading.

I hope I'm not too far OT in asking this list for advice on making this transition on FreeBSD.

The first server to be migrated is currently running:

7.1-RELEASE-p13 with the base openssl 0.9.8.e and apache 2.2.13

Several options seem to be available:

1) upgrade the openssl in the existing 7.1 release
2) migrate to gnuTLS in the existing 7.1 release
3) upgrade freebsd to 8.1 with openssl 0.9.8n

I'm pre-inclined towards upgrading the OS to 8.1. The primary concerns I've considered revolve around moving the installed ports through this upgrade with minimal downtime.

Could anyone please offer advice on the openssl upgrade issues involved in such a migration?

In addition to apache, this server is a pretty loaded toaster, also hosting DNS with bind9, virtual mail domains with postfix, courier-imap/authlib, and mysql, and shell accounts via openssh.

A simpler question that I've been unable to resolve: Does the openssl of 8.1-RELEASE enable the TLS extensions, including SNI, by default? If I have to rebuild from source to enable this feature anyway, it takes some of the incentive out of migrating the OS now.

Thanks for any insight or experience you're able to share!

johnea



More information about the freebsd-security mailing list