[jdev] virtual hosting and certificate checking

Trejkaz trejkaz at trypticon.org
Fri Mar 3 05:45:29 CST 2006


On Friday 03 March 2006 21:10, Justin Karneges wrote:
> Hmm, there shouldn't be a need to introduce server names into TLS, which is
> technically supposed to exist independently of TCP/IP.
>
> IMO, a better way would be to use RFC 2817, which allows upgrading a
> plaintext HTTP connection to TLS dynamically.  It works essentially the
> same way as XMPP's "starttls".  Sadly, no one actually uses this great
> spec.

I'm sure that some services still have a name outside of TCP/IP.  Besides, 
it's only an extension, which does make a bit of sense since you would just 
choose not to use that extension in the case where you're not going over 
TCP/IP (analogous to an XMPP server choosing not to allow external auth if 
the connection is not going over TLS.)

Funnily enough, if we'd had naming in TLS from the start, there probably 
wouldn't even *be* STARTTLS since everyone would be using the better 
method. :-)

RFC 2817 is still neat though.  Funny how web browsers, despite being the most 
used Internet app around, or so they say, are so slow to follow standards.  
We should have SRV for web browsers too, but hardly anyone implemented that 
too.

TX

-- 
             Email: trejkaz at trypticon.org
         Jabber ID: trejkaz at trypticon.org
          Web site: http://trypticon.org/
   GPG Fingerprint: 9EEB 97D7 8F7B 7977 F39F  A62C B8C7 BC8B 037E EA73
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20060303/b4fee29c/attachment-0002.pgp>


More information about the JDev mailing list