[jdev] virtual hosting and certificate checking
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Fri Mar 3 04:10:37 CST 2006
On Friday 03 March 2006 01:41, Tony Finch wrote:
> On Fri, 3 Mar 2006, Jesus Cea wrote:
> > In current TLS, client gives the host it is trying to connect, BEFORE
> > negociating crypto. So if you are using a modern webserver and a modern
> > browser, you can share the IP.
> >
> > I just don't remember if this feature is present in TLS 1.0 or in the
> > current draft for next revision.
>
> This is an RFC 3546 extension to TLS 1.0 - the "server name indication".
> It appears that this is not supported by OpenSSL but it is by GnuTLS.
> "Modern browser" in this situation means released within the last few
> months.
Hmm, there shouldn't be a need to introduce server names into TLS, which is
technically supposed to exist independently of TCP/IP.
IMO, a better way would be to use RFC 2817, which allows upgrading a plaintext
HTTP connection to TLS dynamically. It works essentially the same way as
XMPP's "starttls". Sadly, no one actually uses this great spec.
-Justin
More information about the JDev
mailing list