Hello, I?m lost with how sockets and TLS works, how can I host several gemini sites on the same host? I cannot read the request before setting up TLS, but I need to know which hostname is requested to serve the correct certificate. So I guess either: 1) It?s possible to have several programs listen on the same port using different hostname? 2) It?s possible for a program which listen on a port to know which hostname was requested before TLS handshake? I use stream_socket_server and stream_socket_accept in PHP and did not find how to get requested hostname. I did not find good documentation on the purpose of the target in the socket name. I use tcp://[::]:1965 currently. I do not understand what it does to put a hostname instead of [::] in there. C?me
C?me Chilliet <come at chilliet.eu> writes: > Hello, > > I?m lost with how sockets and TLS works, how can I host several gemini sites on the same host? > > I cannot read the request before setting up TLS, but I need to know which hostname is requested to serve the correct certificate. > > So I guess either: > 1) It?s possible to have several programs listen on the same port using different hostname? > 2) It?s possible for a program which listen on a port to know which hostname was requested before TLS handshake? > > I use stream_socket_server and stream_socket_accept in PHP and did not find how to get requested hostname. > > I did not find good documentation on the purpose of the target in the socket name. I use tcp://[::]:1965 currently. > I do not understand what it does to put a hostname instead of [::] in there. > > C?me You should use the Server Name Indication (SNI) TLS extension. Gemini clients have to support SNI, by the spec. Basically, clients in the TLS handshake will tell you to which hostname they want to talk to, so you can use the appropriate certificate. Unfortunately I am not knowledgable in PHP, so I cannot help you further.
Le mercredi 2 d?cembre 2020, 11:25:25 CET Omar Polo a ?crit : > You should use the Server Name Indication (SNI) TLS extension. Gemini > clients have to support SNI, by the spec. Basically, clients in the TLS > handshake will tell you to which hostname they want to talk to, so you > can use the appropriate certificate. Thank you for the pointer, there is an SNI_enabled boolean I can set to true in SSL options: https://www.php.net/manual/en/context.ssl.php I will keep searching in this direction then. C?me
On Wed, Dec 02, 2020 at 11:17:41AM +0100, C?me Chilliet <come at chilliet.eu> wrote a message of 23 lines which said: > I?m lost with how sockets and TLS works, how can I host several > gemini sites on the same host? The gemserv server <https://git.sr.ht/~int80h/gemserv/> has virtual hosts and certs per virtual host so reading its source code may be useful.
I don't know if it will help you, but here's a walkthrough of how my Go implementation. It's quite tied to the Go implementation, but there may be similar capabilities in PHP. Firstly, the server keeps a map of the domain name to the underlying Gemini handler (the code that processes the request), and the TLS certificate to be used for that domain. The Go TLS library allows a "GetCertificate" function to be added to the TLS configuration. This "GetCertificate" function is called during the TLS handshake and returns the certificate to present to the client (dh.KeyPair) based on the hostname being requested during the handshake. https://github.com/a-h/gemini/blob/598044444c08befc3c01bafe5558a5decb83ab40 /server.go#L180 With that configuration in place, the server enters a loop that listens for new incoming connections: https://github.com/a-h/gemini/blob/598044444c08befc3c01bafe5558a5decb83ab40 /server.go#L197 When a new connection is received, it's handled in another goroutine (similar to a thread) by the handleTLS function. This allows the loop to listen for new connections while content is being served by the goroutine. https://github.com/a-h/gemini/blob/598044444c08befc3c01bafe5558a5decb83ab40 /server.go#L211 Now that the handshake is over, but the Gemini request/response needs to take place, the handleTLS function has to read the domain name again to look up which Gemini handler to use for the domain that was accessed: https://github.com/a-h/gemini/blob/598044444c08befc3c01bafe5558a5decb83ab40 /server.go#L235 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20201215/7988 798b/attachment-0001.htm>
---
Previous Thread: variable indentation levels / hierarchy in lists