Detect if incoming connections request a specific hostname/domain using SNI and reply with the appropriate server certificate.
To support Automated Certificate Management Environment (ACME) for Let's Encrypt and potentially other CAs, it would be desirable to support Domain Validation with Server Name Indication (DVSNI) as part of the server-side SNI implementation.
This has been raised on the mailing list:
How should SNI server support work:
- transports can continue to be configured the way they are now and work the same way
- if a connection comes in without SNI, the default certificate configured for the transport should be used, as it is now
- configuration support at the stack level and in repro.config for adding supplementary certificates / virtual hosted domains
- if a connection request comes in with SNI and the certificate is available, it should be used instead of the default certificate for the transport
- some parameters for the transport (e.g. client verification mode) remain constant
- other per-transport parameters (RecordRouteUri) may need to be adjusted based on the domain selected by SNI
- this flexibility could be achieved by creating additional "virtual" transports in repro.config, possibly overlapping the bind addresses of existing transports, or maybe creating a wildcard/regex rule or lookup table for Record Route URI values
Transport<n>Type is another parameter that may need to vary based on SNI. e.g. some domains may be for SIP over TLS, while other domains may be for WebSockets over TLS (WSS)
It may be worthwhile looking at whether a single transport can serve either SIP or WebSockets dynamically even on the same domain.