[squid-users] Multiple SSL certificates on same IP
Bruno de Paula Larini
bruno.larini at riosoft.com.br
Thu Dec 20 12:45:49 UTC 2018
Em 19/12/2018 20:09, Amos Jeffries escreveu:
> OpenSSL definitely can use only one certificate per http(s)_port. Either
> the _last_ loaded if several PEM files are loaded (each call to the
> OpenSSL API *replaces* the certs loaded), or if one tries to work around
> that by merging everything into a single PEM and only loading it all at
> once - only the _first_ cert chain is ever used from that set.
Sorry for maybe going a bit off-topic, just curious about it.
I'm mostly clueless about the implications and intricacies of "behind
the scenes" of SNI, but most modern webservers support it (Apache,
nginx, IIS). Apache, for instance, says it should be built with "OpenSSL
with the TLS Extensions option enabled", since OpenSSL v0.9.8f. And
their configuration for Virtual Hosts and SSL/TLS is rather simple on a
user's view .
So, my question would be: why Squid would have problems with SNI and
OpenSSL when other webservers/proxies have this feature using
In my (user's) opinion, Squid has far more complex features with SSL
Bump and other forward proxy handling for SSL/TLS. Why SNI would be such
a big deal?
More information about the squid-users