CURL and using HTTP Host Header for SNI

Recently I added a HKPS pool to sks-keyservers.net , and in that process I'm validating the SKS keyservers SSL/TLS certificates versus my own Certificate Authority, so only servers with certificates signed by myself are included. This ensure a subjectAltName for the appropriate host, in order to avoid certificate failures. So far so good.

Some servers for various reasons need to have another certificate installed signed by another authority. In order for this to be handled properly, Server Name Indication is used to properly map the request with the virtual host and the certificate to present to the client.

My crawler use curl as the basis for the requests, and as I connect using the hostname found in server-discovery, it use the HTTP Host: header for the pool. The issue with vanilla curl, is however, that there is no way to manually set the SNI hostname to use, and it will default to the hostname of the request.

As such I added a patch that will use the Host header presented instead. I'm adding it here in case it is useful for anyone else.

mod_gnutls: Requiring encryption

I recently switched over from using mod_ssl to mod_gnutls for providing encryption and verification on some of my web servers. mod_gnutls uses the GnuTLS library to provide SSL 3.0, TLS 1.0, TLS 1.1 and 1.2 encryption for Apache HTTPD, and it is similar to mod_ssl in purpose - but does not use OpenSSL. Since some of the servers only have 1 public IP; in order to provide encryption on multiple websites I prefer to use TLS, although, in all fairness, SSL with SNI is an alternative. I do, however feel the TLS protocol is a cleaner one, so I'll support that.

As a result of the switch sks-keyservers.net is now also encryption-enabled, using a self-signed certificate that can be verified through the Web of Trust of OpenPGP using Monkeysphere.

One thing I am missing in mod_gnutls is however a way to require certain file paths to be encrypted. Ok, this can be done using configuration directives in the VirtualHost settings for the non-TLS enabled host, but I find it much cleaner to be able to append this on a per-directory basis (.htaccess). As such, I've written a small patch that add the "GnuTLSRequireSSL" directive to mod_gnutls. This take one argument that can have the values "On" or "Off". Download the patch here