[jdev] virtual hosting and certificate checking

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Fri Mar 3 04:10:37 CST 2006

On Friday 03 March 2006 01:41, Tony Finch wrote:
> On Fri, 3 Mar 2006, Jesus Cea wrote:
> > In current TLS, client gives the host it is trying to connect, BEFORE
> > negociating crypto. So if you are using a modern webserver and a modern
> > browser, you can share the IP.
> >
> > I just don't remember if this feature is present in TLS 1.0 or in the
> > current draft for next revision.
> This is an RFC 3546 extension to TLS 1.0 - the "server name indication".
> It appears that this is not supported by OpenSSL but it is by GnuTLS.
> "Modern browser" in this situation means released within the last few
> months.

Hmm, there shouldn't be a need to introduce server names into TLS, which is 
technically supposed to exist independently of TCP/IP.

IMO, a better way would be to use RFC 2817, which allows upgrading a plaintext 
HTTP connection to TLS dynamically.  It works essentially the same way as 
XMPP's "starttls".  Sadly, no one actually uses this great spec.


More information about the JDev mailing list