[jdev] virtual hosting and certificate checking
Trejkaz
trejkaz at trypticon.org
Fri Mar 3 05:45:29 CST 2006
On Friday 03 March 2006 21:10, Justin Karneges wrote:
> Hmm, there shouldn't be a need to introduce server names into TLS, which is
> technically supposed to exist independently of TCP/IP.
>
> IMO, a better way would be to use RFC 2817, which allows upgrading a
> plaintext HTTP connection to TLS dynamically. It works essentially the
> same way as XMPP's "starttls". Sadly, no one actually uses this great
> spec.
I'm sure that some services still have a name outside of TCP/IP. Besides,
it's only an extension, which does make a bit of sense since you would just
choose not to use that extension in the case where you're not going over
TCP/IP (analogous to an XMPP server choosing not to allow external auth if
the connection is not going over TLS.)
Funnily enough, if we'd had naming in TLS from the start, there probably
wouldn't even *be* STARTTLS since everyone would be using the better
method. :-)
RFC 2817 is still neat though. Funny how web browsers, despite being the most
used Internet app around, or so they say, are so slow to follow standards.
We should have SRV for web browsers too, but hardly anyone implemented that
too.
TX
--
Email: trejkaz at trypticon.org
Jabber ID: trejkaz at trypticon.org
Web site: http://trypticon.org/
GPG Fingerprint: 9EEB 97D7 8F7B 7977 F39F A62C B8C7 BC8B 037E EA73
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20060303/b4fee29c/attachment-0002.pgp>
More information about the JDev
mailing list