[sr-dev] TLS docs
Jan Janak
jan at ryngle.com
Sat Oct 10 20:17:42 CEST 2009
On Sat, Oct 10, 2009 at 3:39 PM, Olle E. Johansson <oej at edvina.net> wrote:
>>>> Currently yes. It is on my todo list to extend the configuration file
>>>> syntax to also support server names, but I am not there yet.
>>>
>>> I think this is something that can wait. The server name extension is
>>> quite new in openssl (on by default since 1.0). I doubt there are many
>>> clients supporting it and unless all or most your clients support it is
>>
>> It is also useful for server-to-server connections, there it allows
>> you to select and present the correct certificate. Even if you have no
>> clients that support it, you might still want to use the server name
>> extension for server-to-server connections.
>
> Well, to support the current proposal we should have a security association
> on every TLS link between ourself and other servers, where we remember which
> domain we verified for this link. We can't reuse this connection for other
> links between ourself and the peer for other domains.
Yes, exactly, there are issues like that with connection reuse. That's
one of the reason why adding support for server name takes more than a
trivial change of the TLS configuration file format.
Anyway, we have more issues in TLS related code to take care of, we
won't be able to address them before the next release, but maybe we
could make them priority for the over-next release.
Jan.
More information about the sr-dev
mailing list