Skip to content

Commit f9cb2a3

Browse files
vinoskivinoski
committed
Augment sni config description
In the description of the sni configuration variable, mention setting depth to 0 if using self-signed certificates. Fix hyphenation and improve sentences in a few places.
1 parent 4579951 commit f9cb2a3

File tree

2 files changed

+25
-18
lines changed

2 files changed

+25
-18
lines changed

doc/yaws.tex

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1124,9 +1124,10 @@ \section{Server Name Indication}
11241124
certificate to clients. Possible solutions are listed here:
11251125
\url{http://wiki.cacert.org/VhostTaskForce}.
11261126

1127-
By default, SNI is disabled in \Yaws\ to be backward compatible with old
1128-
Erlang/OTP releases. But it can be enabled and fine tuned for each SSL
1129-
servers. Here is a basic example:
1127+
By default, SNI was originally disabled in \Yaws\ to be backward
1128+
compatible with old Erlang/OTP releases; it remains disabled by
1129+
default to remain compatible with older \Yaws\ releases. But it can be
1130+
enabled and fine-tuned for each SSL server. Here is a basic example:
11301131

11311132

11321133
\begin{verbatim}
@@ -1156,11 +1157,11 @@ \section{Server Name Indication}
11561157

11571158
Depending on the SNI hostname provided by the client, the first or the
11581159
second virtual host will be chosen, and the corresponding SSL
1159-
certificate will be presented to the client. In this example, non SNI
1160+
certificate will be presented to the client. In this example, non-SNI
11601161
clients are still supported. For such clients, the SSL certificate of
11611162
the first virtual server will be presented and the HTTP Host header will
1162-
be then used to find the correct virtual server. Otherwise, it is
1163-
possible to refuse non SNI clients, globally or per server.
1163+
then be used to find the correct virtual server. Otherwise, it is
1164+
possible to refuse non-SNI clients, globally or per server.
11641165

11651166

11661167
\chapter{Applications}
@@ -2695,7 +2696,7 @@ \section{Global Part}
26952696
\verb+pick_first_virthost_on_nomatch+---\textbf{must} include
26962697
TLS as a permitted protocol.
26972698

2698-
If \verb+sni+ directive is set to \textit{enable}, non SNI clients
2699+
If the \verb+sni+ directive is set to \textit{enable}, non-SNI clients
26992700
are allowed. For such clients, virtual servers are selected as if
27002701
Yaws did not have SNI support. If it is set to \textit{strict},
27012702
SNI hostname is mandatory to access a SSL virtual server. But in
@@ -2707,7 +2708,10 @@ \section{Global Part}
27072708
that the first virtual server have the most restrictive access
27082709
control, otherwise clients can access restricted resources by
27092710
sending a request for any unknown hostname. (This isn't actually
2710-
any different from using virtual servers without SNI support.)
2711+
any different from using virtual servers without SNI support.) If
2712+
you're using self-signed certificates, be sure to also set the
2713+
\verb+depth+ configuration variable to 0 to avoid following
2714+
certificate chains.
27112715

27122716
The \verb+sni+ directive is a global one, so if you set it to
27132717
\textit{strict}, non-SNI clients will be refused for \textbf{all}
@@ -3441,9 +3445,10 @@ \section{Server Part}
34413445
\item \verb+depth = Int+ --- Specifies the depth of certificate
34423446
chains the server is prepared to follow when verifying client
34433447
certs. For the OTP new SSL implementation it is also used to
3444-
specify how far the server, i.e. we, shall follow the SSL
3445-
certificates we present to the clients. Hence, using self
3446-
signed certs, we typically need to set this to 0.
3448+
specify how far the server (\Yaws\ in our case) shall
3449+
follow the SSL certificates we present to the clients. Hence,
3450+
using self-signed certificates, we typically need to set this
3451+
to 0.
34473452

34483453
\item \verb+password = String+ --- If the private key is
34493454
encrypted on disk, this password is the 3des key to decrypt it.
@@ -3508,7 +3513,7 @@ \section{Server Part}
35083513
\end{verbatim}
35093514

35103515
\item \verb+require_sni = true | false+ ---
3511-
If \textit{true}, the server will reject non SNI clients and
3516+
If \textit{true}, the server will reject non-SNI clients and
35123517
clients providing an unknown SNI hostname (this last remark
35133518
is only relevant for the first virtual server of a SSL
35143519
group). This directive is ignored if SNI support is disabled

man/yaws.conf.5

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -375,8 +375,8 @@ accept the SNI information from the client, the first virtual server -- the
375375
default one, see \fBpick_first_virthost_on_nomatch\fR -- \fBmust\fR include TLS as
376376
a permitted protocol.
377377

378-
If \fBsni\fR directive is set to \fIenable\fR, non SNI clients are allowed. For
379-
such clients, virtual servers are selected as if Yaws did not have SNI
378+
If the \fBsni\fR directive is set to \fIenable\fR, non-SNI clients are allowed.
379+
For such clients, virtual servers are selected as if Yaws did not have SNI
380380
support. If it is set to \fIstrict\fR, SNI hostname is mandatory to access a SSL
381381
virtual server. But in all cases, when SNI support is enabled, if a client
382382
provides a SNI hostname, it \fBmust\fR match the HTTP Host header (which is
@@ -385,7 +385,9 @@ used for any request where the provided SNI hostname doesn't match any of
385385
virtual server names. So, it is important that the first virtual server have the
386386
most restrictive access control, otherwise clients can access restricted
387387
resources by sending a request for any unknown hostname. (This isn't actually
388-
any different from using virtual servers without SNI support.)
388+
any different from using virtual servers without SNI support.) If you're using
389+
self-signed certificates, be sure to also set the \fBdepth\fR configuration
390+
variable to 0 to avoid following certificate chains.
389391

390392
The \fBsni\fR directive is a global one, so if you set it to \fIstrict\fR,
391393
non-SNI clients will be refused for \fBall\fR SSL groups. See \fBrequire_sni\fR
@@ -1155,8 +1157,8 @@ certificate is supplied (an empty certificate is considered valid).
11551157
.RS 12
11561158
Specifies the depth of certificate chains the server is prepared to follow when
11571159
verifying client certs. For the OTP new SSL implementation it is also used to
1158-
specify how far the server, i.e. we, shall follow the SSL certificates we
1159-
present to the clients. Hence, using self-signed certs, we typically need to set
1160+
specify how far the server (Yaws in our case) shall follow the SSL certificates
1161+
we present to the clients. Hence, using self-signed certs, we typically need to set
11601162
this to 0.
11611163
.RE
11621164

@@ -1244,7 +1246,7 @@ protocol_version = tlsv1.3, tlsv1.2, tlsv1.1, tlsv1
12441246
.IP
12451247
\fBrequire_sni = true | false\fR
12461248
.RS 12
1247-
If \fItrue\fR,the server will reject non SNI clients and clients providing an
1249+
If \fItrue\fR,the server will reject non-SNI clients and clients providing an
12481250
unknown SNI hostname (this last remark is only relevant for the first virtual
12491251
server of a SSL group). This directive is ignored if SNI support is disabled (or
12501252
not supported).

0 commit comments

Comments
 (0)