> I'll try and replicate the blog findings in the course of the next couple of > days .... if it works I'll add it to the wiki ... >
Set up a test this morning using Centos 6: nss-3.13.1-7.el6_2.x86_64 mod_nss-1.0.8-14.el6_2.x86_64 The behaviour was... odd.... SNI itself must have been working as the contents differed depending on the domain which matched the expectation from the two virtual hosts however there appears to remain certificate selection issues and/or issues with respect to the the behaviour of the NSS options - only the last NSSCertificateDatabase seemed to apply rather than be local to a given VirtualHost (if separating certificate databases) and if in a common database although Apache reported different nicknamed certificates in error_log only the first NSSNickname seemed to be used to obtain the correct certificate... Set up a similar test on Fedora 17: nss-3.13.4-3.fc17.x86_64 mod_nss-1.0.8-17.fc17.x86_64 Same behaviour occurred (not that surprising given the versions).... So the short of it is ignore that blog and Rob is right - mod_nss is not ready yet... if you want SNI you need mod_ssl (or mod_gnutls)... if you have FIPS etc requirements or other reasons to use mod_nss then SNI is not at this time possible if you want valid certificates in place... James _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
