Score:-1

How to make a dynamic SSL HTTPS server in nodejs without SNICallback

vn flag

I want to make a dynamic SSL HTTPS server in node.js without using SNICallback, maybe using open SSL?

Steffen Ullrich avatar
se flag
*"maybe using open SSL?"* - nodejs is already using the openssl library and SNICallback is basically the way how openssl requires the application to implement different certificates based on the given server name in the TLS ClientHello (i.e. SNI). And just stating *"I want to ... without using SNICallback"* looks like an [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) to me - where does this requirement comes from, i.e. what real problem dictates that you cannot use SNICallback?
wesley allison avatar
vn flag
@SteffenUllrich I wanted it to be used as a normal production web server. But I also wanted to be able to use tools like curl which doesn't appear to support SNICallback. unless I'm wrong.
Steffen Ullrich avatar
se flag
curl is a HTTP client and not a server. All modern clients (including curl) send the server name in the ClientHello and thus work together with the SNICallback in nodejs. Also, you could also simply add the various contexts using [server.addContext](https://stackoverflow.com/a/25953210/3081018) which inside uses the SNI callback (or in terms of openssl API - [SSL_CTX_set_tlsext_servername_callback](https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_tlsext_servername_callback.html)). And if the server name is not given in the ClientHello addContext will use the most recently added context.
dave_thompson_085 avatar
jp flag
(@SteffenUllrich) except _obsolete_ tools like a router or embedded device from about 2012 or earlier with no updates from the manufacturer (e.g. went bankrupt) -- then you might lack SNI. In that case you either need to get a cert with SAN listing all the servernames (clients mostly supported SAN since early noughties) or _if_ your servernames are all subdomains of the same domain get a cert with a _wildcard_ name that matches all of them. Otherwise use the old old way, different servers on different IP addresses or ports :-(
wesley allison avatar
vn flag
@SteffenUllrich what I really had in mind was making a HTTPS server from scratch using net.Server
Steffen Ullrich avatar
se flag
@wesleyallison: *"making a HTTPS server from scratch using net.Server"* - net.Server has no support for TLS. That's what the TLS module is for - which has also support for SNI. Anyway, all of this seems to be off-topic here since serverfault.com is not about programming - that's what stackoverflow.com is for.
wesley allison avatar
vn flag
@SteffenUllrich sorry if it's off topic. I think what I'm trying to do is to complicated: I'm trying to remake TLS I guess
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.