Using SNI with cowboy:start_tls/3

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Using SNI with cowboy:start_tls/3

Igor Clark
Hi there,

Does anyone have any examples of how to use sni_hosts correctly in TransportOpts in cowboy:start_tls/3?

I want to use different certs for respective diferent hostnames, and I'm having trouble deciphering the docs as the definition seems spread across cowboy, ranch and erlang:ssl. From what I can tell the underlying erlang:ssl wants this:

{ sni_hosts, [ { hostname(), [ ssl_option() ] } ] } 

which seems like it should work like e.g.

{ sni_hosts, [ { "hostname1", [ { certfile, Certfile1 }, { keyfile, Keyfile1 }, { cacertfile, CaCertFile1 } ] } ] }

but when I add that directly to the TransportOpts in cowboy:start_tls/3 alongside { port, Port } etc I just get bad_return. There are other options that seem relevant e.g. server_name_indication but I'm finding it tricky to piece it all together to make the right shape of TransportOpts - I'm not clear whether the ssl_opts listed under the ranch_ssl module docs are simply passed through from erlang:ssl or whether they're a ranch-specific subset, and either way how to structure the proplist to configure Cowboy to serve multiple TLS names.

Would very much appreciate any tips or examples!

Thanks,
Igor

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Using SNI with cowboy:start_tls/3

Loïc Hoguin-3
Hey,

As far as Ranch is concerned, the options are given directly to the ssl
application. What Ranch does is tweak some default values (unrelated to
ssl), remove some options like active or packet (same), and pass them
forward. The types in the docs are there merely for documentation purposes.

Afraid that's all the help I have.

Cheers,

On 28/01/2019 09:45, Igor Clark wrote:

> Hi there,
>
> Does anyone have any examples of how to use sni_hosts correctly in
> TransportOpts in cowboy:start_tls/3?
>
> I want to use different certs for respective diferent hostnames, and I'm
> having trouble deciphering the docs as the definition seems spread
> across cowboy, ranch and erlang:ssl. From what I can tell the underlying
> erlang:ssl wants this:
>
> { sni_hosts, [ { hostname(), [ ssl_option() ] } ] }
>
> which seems like it should work like e.g.
>
> { sni_hosts, [ { "hostname1", [ { certfile, Certfile1 }, { keyfile,
> Keyfile1 }, { cacertfile, CaCertFile1 } ] } ] }
>
> but when I add that directly to the TransportOpts in cowboy:start_tls/3
> alongside { port, Port } etc I just get bad_return. There are other
> options that seem relevant e.g. server_name_indication but I'm finding
> it tricky to piece it all together to make the right shape of
> TransportOpts - I'm not clear whether the ssl_opts listed under the
> ranch_ssl module docs
> <https://ninenines.eu/docs/en/ranch/1.2/manual/ranch_ssl/> are simply
> passed through from erlang:ssl <http://erlang.org/doc/man/ssl.html> or
> whether they're a ranch-specific subset, and either way how to structure
> the proplist to configure Cowboy to serve multiple TLS names.
>
> Would very much appreciate any tips or examples!
>
> Thanks,
> Igor
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Using SNI with cowboy:start_tls/3

Ingela Andin
Hi!
Your exampel looks correct. 

Here is another one

{sni_hosts,
 [{"a.server", [{certfile, "a_cert.pem"},
                {keyfile, "a_key.pem"},
                {keyfile, "a_key.pem"}
               ]},
  {"b.server", [{certfile, "b_cert.pem"},
                {keyfile, "b_key.pem"},
                {keyfile, "b_key.pem"}
               ]}
 ]}

If you want to know if the problem is with cowboy or ssl try calling ssl API without cowboy

Regards Ingela


Den ons 30 jan. 2019 kl 00:26 skrev Loïc Hoguin <[hidden email]>:
Hey,

As far as Ranch is concerned, the options are given directly to the ssl
application. What Ranch does is tweak some default values (unrelated to
ssl), remove some options like active or packet (same), and pass them
forward. The types in the docs are there merely for documentation purposes.

Afraid that's all the help I have.

Cheers,

On 28/01/2019 09:45, Igor Clark wrote:
> Hi there,
>
> Does anyone have any examples of how to use sni_hosts correctly in
> TransportOpts in cowboy:start_tls/3?
>
> I want to use different certs for respective diferent hostnames, and I'm
> having trouble deciphering the docs as the definition seems spread
> across cowboy, ranch and erlang:ssl. From what I can tell the underlying
> erlang:ssl wants this:
>
> { sni_hosts, [ { hostname(), [ ssl_option() ] } ] }
>
> which seems like it should work like e.g.
>
> { sni_hosts, [ { "hostname1", [ { certfile, Certfile1 }, { keyfile,
> Keyfile1 }, { cacertfile, CaCertFile1 } ] } ] }
>
> but when I add that directly to the TransportOpts in cowboy:start_tls/3
> alongside { port, Port } etc I just get bad_return. There are other
> options that seem relevant e.g. server_name_indication but I'm finding
> it tricky to piece it all together to make the right shape of
> TransportOpts - I'm not clear whether the ssl_opts listed under the
> ranch_ssl module docs
> <https://ninenines.eu/docs/en/ranch/1.2/manual/ranch_ssl/> are simply
> passed through from erlang:ssl <http://erlang.org/doc/man/ssl.html> or
> whether they're a ranch-specific subset, and either way how to structure
> the proplist to configure Cowboy to serve multiple TLS names.
>
> Would very much appreciate any tips or examples!
>
> Thanks,
> Igor
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Using SNI with cowboy:start_tls/3

Igor Clark
Thank you both. I’ll see if I can try getting under the hood with just ssl.

A bit surprised this hasn’t come up more often - I imagined people would want to host multiple names using cowboy pretty frequently! Not so, it seems?

If I get anywhere with it I’ll post back.

Thanks again,
Igor

On 30 Jan 2019, at 11:32, Ingela Andin <[hidden email]> wrote:

Hi!
Your exampel looks correct. 

Here is another one

{sni_hosts,
 [{"a.server", [{certfile, "a_cert.pem"},
                {keyfile, "a_key.pem"},
                {keyfile, "a_key.pem"}
               ]},
  {"b.server", [{certfile, "b_cert.pem"},
                {keyfile, "b_key.pem"},
                {keyfile, "b_key.pem"}
               ]}
 ]}

If you want to know if the problem is with cowboy or ssl try calling ssl API without cowboy

Regards Ingela


Den ons 30 jan. 2019 kl 00:26 skrev Loïc Hoguin <[hidden email]>:
Hey,

As far as Ranch is concerned, the options are given directly to the ssl
application. What Ranch does is tweak some default values (unrelated to
ssl), remove some options like active or packet (same), and pass them
forward. The types in the docs are there merely for documentation purposes.

Afraid that's all the help I have.

Cheers,

On 28/01/2019 09:45, Igor Clark wrote:
> Hi there,
>
> Does anyone have any examples of how to use sni_hosts correctly in
> TransportOpts in cowboy:start_tls/3?
>
> I want to use different certs for respective diferent hostnames, and I'm
> having trouble deciphering the docs as the definition seems spread
> across cowboy, ranch and erlang:ssl. From what I can tell the underlying
> erlang:ssl wants this:
>
> { sni_hosts, [ { hostname(), [ ssl_option() ] } ] }
>
> which seems like it should work like e.g.
>
> { sni_hosts, [ { "hostname1", [ { certfile, Certfile1 }, { keyfile,
> Keyfile1 }, { cacertfile, CaCertFile1 } ] } ] }
>
> but when I add that directly to the TransportOpts in cowboy:start_tls/3
> alongside { port, Port } etc I just get bad_return. There are other
> options that seem relevant e.g. server_name_indication but I'm finding
> it tricky to piece it all together to make the right shape of
> TransportOpts - I'm not clear whether the ssl_opts listed under the
> ranch_ssl module docs
> <https://ninenines.eu/docs/en/ranch/1.2/manual/ranch_ssl/> are simply
> passed through from erlang:ssl <http://erlang.org/doc/man/ssl.html> or
> whether they're a ranch-specific subset, and either way how to structure
> the proplist to configure Cowboy to serve multiple TLS names.
>
> Would very much appreciate any tips or examples!
>
> Thanks,
> Igor
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Using SNI with cowboy:start_tls/3

Ingela Andin
 Actually the easiest way to handle the new options based on sni extention nowdays is to use the handshske_continue functionallity. I do not know if that works with cowboy. 

Regards Ingela 

onsdag 30 januari 2019 skrev Igor Clark <[hidden email]>:
Thank you both. I’ll see if I can try getting under the hood with just ssl.

A bit surprised this hasn’t come up more often - I imagined people would want to host multiple names using cowboy pretty frequently! Not so, it seems?

If I get anywhere with it I’ll post back.

Thanks again,
Igor

On 30 Jan 2019, at 11:32, Ingela Andin <[hidden email]> wrote:

Hi!
Your exampel looks correct. 

Here is another one

{sni_hosts,
 [{"a.server", [{certfile, "a_cert.pem"},
                {keyfile, "a_key.pem"},
                {keyfile, "a_key.pem"}
               ]},
  {"b.server", [{certfile, "b_cert.pem"},
                {keyfile, "b_key.pem"},
                {keyfile, "b_key.pem"}
               ]}
 ]}

If you want to know if the problem is with cowboy or ssl try calling ssl API without cowboy

Regards Ingela


Den ons 30 jan. 2019 kl 00:26 skrev Loïc Hoguin <[hidden email]>:
Hey,

As far as Ranch is concerned, the options are given directly to the ssl
application. What Ranch does is tweak some default values (unrelated to
ssl), remove some options like active or packet (same), and pass them
forward. The types in the docs are there merely for documentation purposes.

Afraid that's all the help I have.

Cheers,

On 28/01/2019 09:45, Igor Clark wrote:
> Hi there,
>
> Does anyone have any examples of how to use sni_hosts correctly in
> TransportOpts in cowboy:start_tls/3?
>
> I want to use different certs for respective diferent hostnames, and I'm
> having trouble deciphering the docs as the definition seems spread
> across cowboy, ranch and erlang:ssl. From what I can tell the underlying
> erlang:ssl wants this:
>
> { sni_hosts, [ { hostname(), [ ssl_option() ] } ] }
>
> which seems like it should work like e.g.
>
> { sni_hosts, [ { "hostname1", [ { certfile, Certfile1 }, { keyfile,
> Keyfile1 }, { cacertfile, CaCertFile1 } ] } ] }
>
> but when I add that directly to the TransportOpts in cowboy:start_tls/3
> alongside { port, Port } etc I just get bad_return. There are other
> options that seem relevant e.g. server_name_indication but I'm finding
> it tricky to piece it all together to make the right shape of
> TransportOpts - I'm not clear whether the ssl_opts listed under the
> ranch_ssl module docs
> <https://ninenines.eu/docs/en/ranch/1.2/manual/ranch_ssl/are simply
> passed through from erlang:ssl <http://erlang.org/doc/man/ssl.html> or
> whether they're a ranch-specific subset, and either way how to structure
> the proplist to configure Cowboy to serve multiple TLS names.
>
> Would very much appreciate any tips or examples!
>
> Thanks,
> Igor
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Using SNI with cowboy:start_tls/3

Loïc Hoguin-3
A patch might be needed. Igor, please open a ticket in Cowboy or Ranch
if you think it's necessary once you've done some experimentation.

Cheers,

On 30/01/2019 18:18, Ingela Andin wrote:

>   Actually the easiest way to handle the new options based on sni
> extention nowdays is to use the handshske_continue functionallity. I do
> not know if that works with cowboy.
>
> Regards Ingela
>
> onsdag 30 januari 2019 skrev Igor Clark <[hidden email]
> <mailto:[hidden email]>>:
>
>     Thank you both. I’ll see if I can try getting under the hood with
>     just ssl.
>
>     A bit surprised this hasn’t come up more often - I imagined people
>     would want to host multiple names using cowboy pretty frequently!
>     Not so, it seems?
>
>     If I get anywhere with it I’ll post back.
>
>     Thanks again,
>     Igor
>
>     On 30 Jan 2019, at 11:32, Ingela Andin <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>>     Hi!
>>     Your exampel looks correct.
>>
>>     Here is another one
>>
>>     {sni_hosts,
>>      [{"a.server", [{certfile, "a_cert.pem"},
>>                     {keyfile, "a_key.pem"},
>>                     {keyfile, "a_key.pem"}
>>                    ]},
>>       {"b.server", [{certfile, "b_cert.pem"},
>>                     {keyfile, "b_key.pem"},
>>                     {keyfile, "b_key.pem"}
>>                    ]}
>>      ]}
>>
>>     If you want to know if the problem is with cowboy or ssl try
>>     calling ssl API without cowboy
>>
>>     Regards Ingela
>>
>>
>>     Den ons 30 jan. 2019 kl 00:26 skrev Loïc Hoguin
>>     <[hidden email] <mailto:[hidden email]>>:
>>
>>         Hey,
>>
>>         As far as Ranch is concerned, the options are given directly
>>         to the ssl
>>         application. What Ranch does is tweak some default values
>>         (unrelated to
>>         ssl), remove some options like active or packet (same), and
>>         pass them
>>         forward. The types in the docs are there merely for
>>         documentation purposes.
>>
>>         Afraid that's all the help I have.
>>
>>         Cheers,
>>
>>         On 28/01/2019 09:45, Igor Clark wrote:
>>         > Hi there,
>>         >
>>         > Does anyone have any examples of how to use sni_hosts
>>         correctly in
>>         > TransportOpts in cowboy:start_tls/3?
>>         >
>>         > I want to use different certs for respective diferent
>>         hostnames, and I'm
>>         > having trouble deciphering the docs as the definition seems
>>         spread
>>         > across cowboy, ranch and erlang:ssl. From what I can tell
>>         the underlying
>>         > erlang:ssl wants this:
>>         >
>>         > { sni_hosts, [ { hostname(), [ ssl_option() ] } ] }
>>         >
>>         > which seems like it should work like e.g.
>>         >
>>         > { sni_hosts, [ { "hostname1", [ { certfile, Certfile1 }, {
>>         keyfile,
>>         > Keyfile1 }, { cacertfile, CaCertFile1 } ] } ] }
>>         >
>>         > but when I add that directly to the TransportOpts in
>>         cowboy:start_tls/3
>>         > alongside { port, Port } etc I just get bad_return. There
>>         are other
>>         > options that seem relevant e.g. server_name_indication but
>>         I'm finding
>>         > it tricky to piece it all together to make the right shape of
>>         > TransportOpts - I'm not clear whether the ssl_opts listed
>>         under the
>>         > ranch_ssl module docs
>>         > <https://ninenines.eu/docs/en/ranch/1.2/manual/ranch_ssl/
>>         <https://ninenines.eu/docs/en/ranch/1.2/manual/ranch_ssl/>>
>>         are simply
>>         > passed through from erlang:ssl
>>         <http://erlang.org/doc/man/ssl.html
>>         <http://erlang.org/doc/man/ssl.html>> or
>>         > whether they're a ranch-specific subset, and either way how
>>         to structure
>>         > the proplist to configure Cowboy to serve multiple TLS names.
>>         >
>>         > Would very much appreciate any tips or examples!
>>         >
>>         > Thanks,
>>         > Igor
>>         >
>>         > _______________________________________________
>>         > erlang-questions mailing list
>>         > [hidden email] <mailto:[hidden email]>
>>         > http://erlang.org/mailman/listinfo/erlang-questions
>>         <http://erlang.org/mailman/listinfo/erlang-questions>
>>         >
>>
>>         --
>>         Loïc Hoguin
>>         https://ninenines.eu
>>         _______________________________________________
>>         erlang-questions mailing list
>>         [hidden email] <mailto:[hidden email]>
>>         http://erlang.org/mailman/listinfo/erlang-questions
>>         <http://erlang.org/mailman/listinfo/erlang-questions>
>>

--
Loïc Hoguin
https://ninenines.eu
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions