Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: TIdHttpServer and SNI server name identification


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 10 - Last Post: Nov 30, 2017 9:20 AM Last Post By: Remy Lebeau (Te...
Mike Terry

Posts: 1
Registered: 9/21/12
TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2016 7:40 AM
Hello all,

We have developed a "web portal" for our customers to allow their patients to access information. We are using XE6 with the default version of Indy10; however, we are upgrading to the latest version of Delphi and Indy10 next month.

Currently the application creates a separate TidHttpServer with corresponding SSL IO Handler for each portal.<domainname>.com; therefore, we have to use non standard ports like 7443, 7444, and ... when our customer is running multiple web portals on a single server machine. We are also now hosting multiple customers on a single data center server machine. Again each has to run on a separate, non-standard, port.

After some googling I have discovered that the "SNI" (Server Name Identification) extension to the TLS protocol is what Apache/IIS and other web servers used to support multiple SSL certificates on a single IP/port.

I have also found Indy10 has recently added support for client side SNI but as of January 2016 does not support server side SNI.

Has anyone added support for server side SNI or does anyone know when Indy10 will support it.

Thanks Mike
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2016 9:49 AM   in response to: Mike Terry in response to: Mike Terry
Mike wrote:

I have also found Indy10 has recently added support for client side
SNI but as of January 2016 does not support server side SNI.

Correct. That is still the case.

Has anyone added support for server side SNI

No.

does anyone know when Indy10 will support it.

It is on the TODO list, but there is no ETA at this time.

Add support for TLS "Server Name Indication" (SNI)
http://indy.codeplex.com/workitem/25459

You are welcome to try adding support for it yourself. Here are the steps
involved:

•Set up an additional SSL_CTX() for each different certificate;

•Add a servername callback to each SSL_CTX() using SSL_CTX_set_tlsext_servername_callback();

•In the callback, retrieve the client-supplied servername with SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name). Figure out the right SSL_CTX to go with that
host name, then switch the SSL object to that SSL_CTX with SSL_set_SSL_CTX().

The s_client.c and s_server.c files in the apps/ directory of the OpenSSL
source distribution implement this functionality, so they're a good resource
to see how it should be done.

--
Remy Lebeau (TeamB)
Nikolay SCHepetov

Posts: 4
Registered: 3/1/11
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 18, 2017 12:30 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
I have same problem some years ago and use sni with http-server based on INDY-10, adapted and compiled on Delphi4 )))
Certificates for alternative dns-names in my realization placed on sub-directories in folder where all ssl-certificates placed.
.\SSL\ca.crt
.\SSL\Server.crt
.\SSL\Server.key

.\SSL\AltName_1\ca.crt
.\SSL\AltName_1\Server.crt
.\SSL\AltName_1\Server.key

.\SSL\AltName_2\ca.crt
.\SSL\AltName_2\Server.crt
.\SSL\AltName_2\Server.key
where AltName_N - alternative host-names (no IP-addresses)

Samples are there
http://marketmec.ru/SRC/IdSSLOpenSSL.pas
http://marketmec.ru/SRC/IdSSLOpenSSLHeaders.pas

SSL contexts dynamicalli creates and stores in Contexts String list. See SNI_SUPPORT directives in code for understanding.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 18, 2017 10:34 AM   in response to: Nikolay SCHepetov in response to: Nikolay SCHepetov
Nikolay wrote:


Your version of those files is outdated. You should consider updating them.

SSL contexts dynamicalli creates and stores in Contexts String list.

Using a TStringList for non-TObject pointers will not work on mobile platforms.
But I will adjust the code as needed.

--
Remy Lebeau (TeamB)
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 18, 2017 10:53 AM   in response to: Nikolay SCHepetov in response to: Nikolay SCHepetov
Nikolay wrote:


Your mods use the TrhttpAddTypes unit, what is that? Is it the unit that
defines TSSL_Certs_Rec? What is it defined as? I can't use 3rd party units
in Indy.

--
Remy Lebeau (TeamB)
Nikolay SCHepetov

Posts: 4
Registered: 3/1/11
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 29, 2017 11:22 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
unit TrhttpAddTypes;

interface

Type

TSSL_Certs_Rec = record
fSSL_Certs_ID:Integer; //Kolya
fSSL_Cert_Info:String; //Kolya
end;

implementation

end.

Nikolay SCHepetov

Posts: 4
Registered: 3/1/11
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 29, 2017 11:43 AM   in response to: Nikolay SCHepetov in response to: Nikolay SCHepetov
Some things about Indy-http server speed.

If indie server works using session mode, there is a performance penalty effect for simple but frequent requests, because of two reasons.
1. A large number of sessions require a lot of cpu resources to search for one them (SomeText() when linear search in the list of sessions is very ineffective).
2. The search operation itself, which blocks the critical section of the session sheet (+see No1).

To avoid this,
1. Use orderly storage of sessions, and binary(fast) searching for search (there are also more optimal functions for comparing strings).
2. Reject the 1 list of sessions in favor of N- session lists (a reasonable number is about 20). To reduce the competition for the semaphore object by N times. Session-s finder selects actual list based on hashe-string of SessionID ( and Sum_of_all_charcodes_in_hashe mod N). Its reduced count of objects in one list for fast search, and Critical-section deadlocks between different threads.

When testing the server for the return of small files via http (~ 10 kb size), such optimizations gave an increase in performance from 500..300 requests/sec to 1500 requests per second. (I use jmeter).

Edited by: Nikolay SCHepetov on Nov 29, 2017 11:45 AM

Edited by: Nikolay SCHepetov on Nov 29, 2017 11:50 AM
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 29, 2017 8:10 PM   in response to: Nikolay SCHepetov in response to: Nikolay SCHepetov
Nikolay SCHepetov wrote:
Some things about Indy-http server speed.

Thanks. I have added it to the TODO list:

https://github.com/IndySockets/Indy/issues/189

--
Remy Lebeau (TeamB)
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 29, 2017 8:04 PM   in response to: Nikolay SCHepetov in response to: Nikolay SCHepetov
Nikolay SCHepetov wrote:
unit TrhttpAddTypes;

interface

Type

TSSL_Certs_Rec = record
fSSL_Certs_ID:Integer; //Kolya
fSSL_Cert_Info:String; //Kolya
end;

implementation

end.


Thanks. I am continuing to incorporate this into Indy...

--
Remy Lebeau (TeamB)
Nikolay SCHepetov

Posts: 4
Registered: 3/1/11
Re: TIdHttpServer and SNI server name identification  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 29, 2017 9:38 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
Nikolay SCHepetov wrote:


Thanks. I am continuing to incorporate this into Indy...

--
Remy Lebeau (TeamB)

You can find sample of optimizations there: (its no actual version of IdCustomHTTPServer.pas, use only as sample!)
http://marketmec.ru/SRC/IdCustomHTTPServer.pas
http://marketmec.ru/SRC/TrCompare.pas

see directives:
IDMULTYSL (give N=const cSessionListPerServer Session Lists) (warning! this optimization potentially needs change users custom codes to access to SessionList )

IDSORTEDSL (Session list become sorted (change add and get operations) )

AND one question.
Supports of "websocket" technology on actual indy httpserver presents? Some years ago i dont find websockets in this project and write a some code for this functionality (maybe in no good form of code, but...its work for my things). If indy dont have this functionality at current time, i can show sample how this can be done.

Edited by: Nikolay SCHepetov on Nov 29, 2017 9:41 PM

Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: TIdHttpServer and SNI server name identification [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 30, 2017 9:20 AM   in response to: Nikolay SCHepetov in response to: Nikolay SCHepetov
Nikolay SCHepetov wrote:

Supports of "websocket" technology on actual indy httpserver
presents?

No, Indy does not currently support websockets, but it is something
that is being looked into. And there are existing 3rd party websocket
libraries, some of which use Indy internally.

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02