[jdev] virtual hosting and certificate checking
Tony Finch
dot at dotat.at
Fri Mar 3 04:50:34 CST 2006
On Fri, 3 Mar 2006, Justin Karneges wrote:
>
> IMO, a better way would be to use RFC 2817, which allows upgrading a plaintext
> HTTP connection to TLS dynamically. It works essentially the same way as
> XMPP's "starttls". Sadly, no one actually uses this great spec.
I get the impression that that is because it's a pain to implement :-) e.g.
http://coders.meta.net.nz/weblog/2005/03/25/server-name-indication-or-how-to-virtual-host-ssl/
I note that other protocols which have a starttls function - SMTP, IMAP,
POP - don't have a mechanism outside TLS for indicating the server name.
XMPP is unusual in this respect. RFC 3546 SNI has the advantage that it
solves the problem for all protocols that use TLS, and in the context of
HTTP it has MUCH lower latency than RFC 2817.
Tony.
--
f.a.n.finch <dot at dotat.at> http://dotat.at/
HUMBER: WEST OR NORTHWEST 3 OR 4 INCREASING 5 OR 6. WINTRY SHOWERS. MAINLY
GOOD.
More information about the JDev
mailing list