Hi all,
A couple of notes i would like to remark ...
* On the "tls name extensions" ... it is indeed needed and it is not in openSSL. I do think we have a strong case for lobbying directly to OpenSSL core developers ... and i think openSER (and ser) have a rather strong arm. We could get in touch with the developer of the patch and openSSL core dev. Meanwhile ... the solution of providing the patch ... i see it as complicated and it won't spread very far, thus limiting the usefulness ... it could be sold as a way of testing the name extension patch and speed up it's inclusion in openssl ... but until that time, i think we should focus on other scenarios of openSER-tls.
* Klaus' initial email and scenarios ... I think it is a very enlightening explanation and it should be included in a tls-faq, but ... i would say that security is a very particular thing, and different people may wish to do things in a different way, thus we should provide a flexible solution. In my opinion, a core that sets up TLS connection plus a security-tls module which provides access to verification of certs against DB entries, tls connection management (tear down, etc), and this sort of stuff; this would be my choice. Provide the functinality, provide a nice FAQ and examples on standard practices, but give the user the power to do whatever he wants.
Regards,
Cesc