10 Oct
2009
10 Oct
'09
10:15 p.m.
10 okt 2009 kl. 20.17 skrev Jan Janak:
On Sat, Oct 10, 2009 at 3:39 PM, Olle E. Johansson
<oej(a)edvina.net>
wrote:
Well, to support the current proposal we should have a security
association
on every TLS link between ourself and other servers, where we
remember which
domain we verified for this link. We can't reuse this connection
for other
links between ourself and the peer for other domains.
Yes, exactly, there are issues like that with connection reuse. That's
one of the reason why adding support for server name takes more than a
trivial change of the TLS configuration file format.
Understood.
> Currently yes. It is on my todo list to extend the
configuration
> file
> syntax to also support server names, but I am not there yet.
I think this is something that can wait. The server name
extension is
quite new in openssl (on by default since 1.0). I doubt there are
many
clients supporting it and unless all or most your clients support
it is
It is also useful for server-to-server connections, there it allows
you to select and present the correct certificate. Even if you
have no
clients that support it, you might still want to use the server name
extension for server-to-server connections.
Anyway, we have more issues in TLS related code to take care of, we
won't be able to address them before the next release, but maybe we
could make them priority for the over-next release.
Yes, right now we gotta focus on bug-fixing and getting ready for
release,
which means fixing a LOT of documentation. There's tons of confusing old
files that need to be evaluated. We gotta look at our product with the
eyes
of a new user as well as a current user that wants to upgrade, and fix
documentation,
make it easy, cool and productive to select a sip-router distribution.
This propably means some changes to our web sites as well.
/O