Beast: can Support SNI in HTTPS server?

Created on 1 Dec 2017  路  23Comments  路  Source: boostorg/beast

many domain name in a web application, and it using SSL . how do?

All 23 comments

i want use beast to write web application support sni, not a client.

As with the client example shown above, for servers you will need to interact directly with the OpenSSL APIs. The answer to the question on this page provides insights on how this may be accomplished:

https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni

nginx,apache,lighttpd and more web server can provide SNI. Although beast is a library, rather than a complete server, if you can provide SNI built-in, I think this can make many people like this library,and the work is simple.I know that ASIO does not provide SNI, but for many small and medium-sized start-ups, especially those providing web services, this is very important, at least in China.
I know that calling OpenSSL's native API can solve this problem, but most people don't know it.

if you can provide SNI built-in

If I was to do that, then Beast would require OpenSSL. There are lots of people who use Beast without using OpenSSL, and the change you propose would affect them negatively. Furthermore, Beast is a low-level library. It is not a server or a client. The feature that you are asking for is out of scope for Beast, and belongs in a higher level library such as a server or connection manager. It is possible that I might write such a library in the future, in which case I will certainly address SNI.

OK.I know that beast is an low-level library. You can not integrate OpenSSL into beast. Can you consider giving an example of a server that supports SNI? When I was popularizing C++ for web services in small and medium enterprises, the most question I was asked about was how to use multiple domains with one server. Most programmers only have boost.asio, and don't care about how OpenSSL works.

Can you consider giving an example of a server that supports SNI

I don't know how to do that

like this?

Well it isn't quite like that now is it? Because the server has to read the SNI string from the OpenSSL data and decide on which virtual server to route the request to?

no route,only different servername for different digital certificate.How does the route work is something that the user (the programmer) should consider.
Their questions are only one web application (a program) for most domain name.

You're telling me that the server has to read the SNI string from the client, and then decide which SSL certificate to present in the handshake?

yes. only handshake.

In fact, I think this issue can go to ASIO. What's your opinion?

Implementing correct examples which deal with SSL certificates is difficult and in some cases impossible. Getting the certificates to be recognized as valid in a browser or client is a problem, because the certificates that come with the examples are self-signed. And since there is no meaningful domain name (the examples bind to the IP address specified on the command line) there's no way to produce a valid certificate signed by a real certificate authority (like Verisign or many others).

Delivering just the one self-signed server certificate as currently demonstrated in the examples is hard enough, but attempting to choose between several of them goes way beyond my comfort zone. And it is also outside the scope of Beast.

I think this issue can go to ASIO. What's your opinion?

I can't speak for Asio but in my opinion this feature belong in a library that specifically aims to implement a server (which Beast and Asio do not). I have plans for eventually offering a server library but that is at least 5 years away.

Most of the China entrepreneurial companies are doing their own platform (PAAS), most of the scene is that, to provide a web service, such as takeaway app, other startups can resolve their own domain name to the platform, and provides its own certificate, so, to look like a number of platforms, but in fact is to provide a service platform of a company.

Maybe China is not the same as your environment.

then can iwrite that and upload to my github?

then can iwrite that and upload to my github?

I'm always happy to see people build new libraries and applications with Beast!

only exp.

I'll consider the next project with beast and let more companies use it. All I've been using is my own library, and cinatra.

i'll close this issue,and I'm going to bed. It's been too late in China.

It's a pleasure to communicate with you

It's a pleasure to communicate with you

Likewise, thank you for your comments and support for Beast!

Cheers for C++. bye~

Somewhat related issue that was opened in ASIO:
https://github.com/chriskohlhoff/asio/issues/262

thanks.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

vchang-akamai picture vchang-akamai  路  5Comments

shuras109 picture shuras109  路  6Comments

a1987zz picture a1987zz  路  6Comments

tensor5375 picture tensor5375  路  4Comments

chrgrd picture chrgrd  路  4Comments