From 00fe09480dfd28674661830d8a045e0f560bbe51 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 24 Sep 2015 17:13:20 -0400 Subject: Add support for Server Name Indication (SNI) Uses a hash table to pair up server names and nicknames and a lookup is done during the handshake to determine which nickname to be used, and therefore which VirtualHost. Based heavily on patch from Stanislav Tokos --- docs/mod_nss.html | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'docs/mod_nss.html') diff --git a/docs/mod_nss.html b/docs/mod_nss.html index 19d8fef..f073978 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -184,7 +184,9 @@ following line to httpd.conf (location relative to httpd.conf):

This has Apache load the mod_nss configuration file, nss.conf. It is here that you will setup your VirtualServer entries to and -configure your SSL servers.
+configure your SSL servers. If you have a certificate with Subject +Alternative Names then you can configure separate VirtualServer entries +for eacon one.

Certificate Generation

A ksh script, gencert, is included to automatically @@ -1057,6 +1059,30 @@ If set to 0 then no buffering is done. NSSRenegBufferSize 262144


+NSSSNI
+
+Enables or disables Server Name Identification (SNI) extension check for +TLS. This option is enabled by default. To disable SNI, set this to off +in the default name-based VirtualHost. +
+
+Example
+
+NSSSNI off
+
+NSSStrictSNIVHostCheck
+
+Configures whether a non-SNI client is allowed to access a name-based +VirtualHost. If set to on in the default name-based VirtualHost +then clients that are SNI unaware cannot access any virtual host. If set +to on in any other VirtualHost then SNI unaware clients cannot access +this particular virtual host. +
+
+Example
+
+NSSStrictSNIVHostCheck off
+
NSSProxyEngine

Enables or disables mod_nss HTTPS support for mod_proxy.
-- cgit