10 Oct
2009
10 Oct
'09
9:17 p.m.
On Sat, Oct 10, 2009 at 3:39 PM, Olle E. Johansson <oej(a)edvina.net> wrote:
It is also useful for server-to-server connections, there it allows
you to select and present the correct certificate. Even if you have no
clients that support it, you might still want to use the server name
extension for server-to-server connections.
Well, to support the current proposal we should have a security association
on every TLS link between ourself and other servers, where we remember which
domain we verified for this link. We can't reuse this connection for other
links between ourself and the peer for other domains.
Yes, exactly, there are issues like that with connection reuse. That's
one of the reason why adding support for server name takes more than a
trivial change of the TLS configuration file format.
Anyway, we have more issues in TLS related code to take care of, we
won't be able to address them before the next release, but maybe we
could make them priority for the over-next release.
Jan.
Currently yes.
It is on my todo list to extend the configuration file
syntax to also support server names, but I am not there yet.
I think this is something that can wait. The server name extension is
quite new in openssl (on by default since 1.0). I doubt there are many
clients supporting it and unless all or most your clients support it is