SNI - Server Name Identification (virtual hosting for SSL nodes)

uWSGI 1.9 (codenamed “ssl as p0rn”) added support for SNI (Server Name Identification) throughout the whole SSL subsystem. The HTTPS router, the SPDY router and the SSL router can all use it transparently.

SNI is an extension to the SSL standard which allows a client to specify a “name” for the resource it wants. That name is generally the requested hostname, so you can implement virtual hosting-like behavior like you do using the HTTP Host: header without requiring extra IP addresses etc.

In uWSGI an SNI object is composed of a name and a value. The name is the servername/hostname while the value is the “SSL context” (you can think of it as the sum of certificates, key and ciphers for a particular domain).

Adding SNI objects

To add an SNI object just use the --sni option:

--sni <name> crt,key[,ciphers,client_ca]

For example:

--sni "unbit.com unbit.crt,unbit.key"

or for client-based SSL authentication and OpenSSL HIGH cipher levels

--sni "secure.unbit.com unbit.crt,unbit.key,HIGH,unbit.ca"

Adding complex SNI objects

Sometimes you need more complex keys for your SNI objects (like when using wildcard certificates)

If you have built uWSGI with PCRE/regexp support (as you should) you can use the --sni-regexp option.

--sni-regexp "*.unbit.com unbit.crt,unbit.key,HIGH,unbit.ca"

Massive SNI hosting

One of uWSGI’s main purposes is massive hosting, so SSL without support for that would be pretty annoying.

If you have dozens (or hundreds, for that matter) of certificates mapped to the same IP address you can simply put them in a directory (following a simple convention we’ll elaborate in a bit) and let uWSGI scan it whenever it needs to find a context for a domain.

To add a directory just use

--sni-dir <path>

like

--sni-dir /etc/customers/certificates

Now, if you have unbit.com and example.com certificates (.crt) and keys (.key) just drop them in there following these naming rules:

  • /etc/customers/certificates/unbit.com.crt

  • /etc/customers/certificates/unbit.com.key

  • /etc/customers/certificates/unbit.com.ca

  • /etc/customers/certificates/example.com.crt

  • /etc/customers/certificates/example.com.key

As you can see, example.com has no .ca file, so client authentication will be disabled for it.

If you want to force a default cipher set to the SNI contexts, use

--sni-dir-ciphers HIGH

(or whatever other value you need)

Note: Unloading SNI objects is not supported. Once they are loaded into memory they will be held onto until reload.

Subscription system and SNI

uWSGI 2.0 added support for SNI in the subscription system.

The https/spdy router and the sslrouter can dynamically load certificates and keys from the paths specified in a subscription packet:

uwsgi --subscribe2 key=mydomain.it,socket=0,sni_key=/foo/bar.key,sni_crt=/foo/bar.crt

the router will create a new SSL context based on the specified files (be sure the router can reach them) and will destroy it when the last node disconnect.

This is useful for massive hosting where customers have their certificates in the home and you want them the change/update those files without bothering you.

Note

We understand that directly encapsulating keys and cert in the subscription packets will be much more useful, but network transfer of keys is something really foolish from a security point of view. We are investigating if combining it with the secured subscription system (where each packet is encrypted) could be a solution.