Support name-based hosts via TLS SNI

[Castaglia]

Some sites may wish to host large numbers of vhosts on the same IP address. One way that mod_autohost could handle these, in addition to (or related to) [HOST] (see Issue #1) could be to look up the vhost config based on TLS SNI.

Given that the TLS handshake for FTPS connections happens sometime after the initial TCP connection, where any number of commands might happen, supporting SNI will not be as straightforward as destination IP-based lookups. There might be an "initial" config for use such connections, until such time as they provide an SNI via TLS handshake (and/or HOST command).

[jrhay1]

Any thoughts on when this might be available?

[e-fik123]

Any progress here? Would be great to have a sni support for PROFTPD

[FGasper]

@Castaglia NB: Pure-FTPd just implemented SNI support. Maybe the implementation there would be a useful blueprint?

[Castaglia]

@e-fik123 ProFTPD's mod_tls does support SNI. This particular feature request is specifically for the mass vhosting capabilities of mod_autohost, to use the SNI, if provided, to select the appropriate configuration. I'm looking into this now.

[FGasper]

Where is the current SNI support documented?

[e-fik123]

@Castaglia i read the docu for mod_autohost but there is reference only to IP addresses, missing hostnames. If you got any progress or need help, let me know.
as @FGasper mentioned pure-ftpd uses extra deamon for sni support maybe this can be a way to do this.
Pure-ftpd does not support proxying so no alternative for me

[FGasper]

If possible, perhaps even use the same SNI daemon that Pure-FTPd uses. There’s no reason to reinvent the wheel, after all.

[e-fik123]

Any update here? to me this is still important topic. If you need any help let me know.

[Castaglia]

Notes for myself, for SNI-related configurations:

• When can we do the lookup for a config, using SNI? Answer: in a LOG_CMD handler for the AUTH TLS command; that is when we know that a TLS handshake occurred.
• What happens if no SNI is provided? Nothing different than normal.
• What happens if no matching config for the given SNI is available? Nothing different than normal.
• What about connection-time limits/ACLs in the new config? They will be ignored.

[Castaglia]

@FGasper @e-fik123 @jrhay1 FYI, this ticket is about supporting SNI as part of the lookup syntax for these dynamically loaded config files. For SNI support in mod_tls, see proftpd/proftpd#850.

[FGasper]

@Castaglia: Just so I’m clear, does the current feature set allow ProFTPd to allow the SNI string to determine which of a set of certificates (either pre-loaded or runtime-determined) is served up?

[Castaglia]

@FGasper @e-fik123 Now that SNI support in mod_tls is stabilizing; see:

• mod_tls should honor SNI in TLS handshake proftpd/proftpd#850
• FTPS using SNI causes data transfers to fail proftpd/proftpd#924
• mod_tls "no matching server found" for first SNI / name-based virtual host proftpd/proftpd#932

I can now start properly working on SNI support for mod_autohost.

[Castaglia]

Fixed in master.