Le dimanche 23 septembre 2018 à 22:39 +0200, Florian Weimer a écrit :
> > On Sun, Sep 23, 2018 at 10:14 AM, Nicolas Mailhot
> >
> To be honest, this looks like a misconfiguration of the Google
> servers.
Actually, this is probably a "we can finally declare IE6 dead and use
SNI everywhere" moment on the part of Google. Because IE6 was really the
only remaining reason to bother avoiding SNI.
They certainly took the pain to make it explicit in the spec
- The "server_name" [RFC6066] and "certificate_authorities"
extensions are used to guide certificate selection. As servers
MAY require the presence of the "server_name" extension, clients
SHOULD send this extension, when applicable.
[…]
Servers MAY require clients to send a valid "server_name" extension.
Servers requiring this extension SHOULD respond to a ClientHello
lacking a "server_name" extension by terminating the connection with
a "missing_extension" alert.
So, don't be confused by the "MAY"s. The only thing a server that wants
to use SNI owes clients that do not support it is a clean termination
message.
And from the server side point of view, why would you want to pass on
SNI? That requires provisioning one dedicated IPs per server name, at a
time IPv4 adresses get exhausted, and virtualisation pretty makes sures
you are sharing things right and left.
Regards,
--
Nicolas Mailhot
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
