Hi Yutaka,

STLS=mitm is followed by your notes, after your explanation, yes, we should
configure it to be STLS=fcl. Yes, I know the SNI should be supported by
browser as well. we are using Firefox 3.0.13 to test it. I just tested it
with STLS=fcl, the certificate is still using the delegate host's (
portal.abc.com), rather than our customer's (portal.xyz.com) even i have
moved both certificate and key files for each domain into that CERTDIR
folder.

Kind Regards,
David

On Sat, Sep 19, 2009 at 7:12 PM, Yutaka Sato <feedback@delegate.org> wrote:

> Hi,
>
> In message <_A4568@delegate-en.ML_> on
> 09/18/09(09:21:45)
> you David Wang <p2eiqbdyi-hhkpukwrzulr.ml@ml.delegate.org> wrote:
>  |Actually our delegate host is our portal, acting as the proxy from https
> to
>  |http. Most customers access it via our domain with permmitted source IP
>  |address list, such as https://portal.abc.com/ with our ssl certificate.
> It's
>  |been working fine so far. But now some customers would like to access it
> via
>  |their own domain, such as https://portal.xyz.com/ with their own ssl
>  |certificate. we can ask them to add a DNS A record to resolve the domain
> to
>  |our delegate host IP address, but how can delegate achieve the multiple
> ssl
>  |certificates from multiple domains on the same IP address and port?
>  Apache
>  |has official support for SNI since 2.2.12 and the details how to
> implement.
>  |We have all delegate settings with a config file named
> delegate_https.cfg,
>  |and running delegate with this CLI:
>  |$DELEGATED -P443 SERVER=https RESOLV="file:/etc/hosts-dg,dns,sys"
>  |RES_VRFY="" +=/var/spool/delegate-nobody/etc/delegate_https.cfg
>  |CERTDIR=/var/spool/delegate-nobody/etc/certs, STLS=mitm those settings
>  |is followed from your notes CLUSTER and TLS ext. SNI
>  |http://www.delegate.org/mail-lists/delegate-en/03889.
>  |Also can I have another question? that permitted source IP address list
>  |seems not working while accessing our portal via those external domains,
>  |such as https://portal.xyz.com/.
>
> Again I must ask why you use MITM for your usage (that I'm not sure yet).
> STLS=mitm only makes sense in a client-side visible HTTP proxy (referred
> by clients as a SSLtnuuel with the CONNECT method).
>
> In a HTTPS gateway (a proxy at the server-side, or "reverse proxy" that
> is accessed as if it is an origin server), it must be STLS=fcl in a gateway
> for HTTPS client to HTTP server, or STLS=fcl,fsv in HTTPS to HTTPS gateway.
>
> Also you should be sure that SNI must be supported on the client-side
> (usually in browsers) to enable and available the feature at the
> server-side.
>
> Cheers,
> Yutaka
> --
>  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>