[Devel] Re: [Users] TLS setup
Cesc
cesc.santa at gmail.com
Tue Oct 11 00:25:43 CEST 2005
Hi,
see inline ...
On 10/10/05, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
>
> Hi Juha,
>
> not sure, but maybe the certificated to be used should be selected based
> on the domain advertised in the received certificate. Like if you
> received a certificated advertising server1.com <http://server1.com>, you
> should use the
> client/server certificated you have with that domain....
it just would not work.
When you are dialing out you already know the cert you want to use (let's
assume that you can select the cert when doing multidomain). In tls
handshake, you are the client ... but the server must send its cert FIRST
... thus, me, as the receiving proxy (serving multi-domain), have no idea
who you are, so i should provide you with my host cert (not the cert of the
domain i am serving). I just checked the behavior of the web server which
hosts my web domain and it does actually that (it presents me with its host
certificate) and the browser pops a warning telling me that the cert subject
and/or cn does not match my requested domain ... In ser, this could be dealt
at the config level, automatically, provided some module provides this
functionality ...
Regards,
Cesc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openser.org/pipermail/devel/attachments/20051011/22d98db9/attachment.htm
More information about the Devel
mailing list