10 okt 2009 kl. 20.17 skrev Jan Janak:
On Sat, Oct 10, 2009 at 3:39 PM, Olle E. Johansson oej@edvina.net wrote:
Currently yes. It is on my todo list to extend the configuration file syntax to also support server names, but I am not there yet.
I think this is something that can wait. The server name extension is quite new in openssl (on by default since 1.0). I doubt there are many clients supporting it and unless all or most your clients support it is
It is also useful for server-to-server connections, there it allows you to select and present the correct certificate. Even if you have no clients that support it, you might still want to use the server name extension for server-to-server connections.
Well, to support the current proposal we should have a security association on every TLS link between ourself and other servers, where we remember which domain we verified for this link. We can't reuse this connection for other links between ourself and the peer for other domains.
Yes, exactly, there are issues like that with connection reuse. That's one of the reason why adding support for server name takes more than a trivial change of the TLS configuration file format.
Understood.
Anyway, we have more issues in TLS related code to take care of, we won't be able to address them before the next release, but maybe we could make them priority for the over-next release.
Yes, right now we gotta focus on bug-fixing and getting ready for release, which means fixing a LOT of documentation. There's tons of confusing old files that need to be evaluated. We gotta look at our product with the eyes of a new user as well as a current user that wants to upgrade, and fix documentation, make it easy, cool and productive to select a sip-router distribution.
This propably means some changes to our web sites as well.
/O