Hi Jarno, On Thu, May 16, 2019 at 06:49:56PM +0300, Jarno Huuskonen wrote: > Do the myapp.io and anotherapp.com share same certificate (ie. > certificate has both myapp.io and anotherapp.com SAN) ? > > AFAIK browser can reuse the same tls connection if the certificate > covers both names.
Absolutely, I've already read about this though I don't know the implementations details. Similar concepts have been discussed quite a bit on the HTTP WG, though I don't undertand the details of each variation. The main thing is that sometimes the browser will consider that the connection is safe to be used for another domain name because the first one is considered authoritative on it. I'm not sure whether it only learns this from the cert or also from some response headers though. This is also why I always say that routing on SNI is wrong and that only the Host header is relevant. > When the host/sni differ do you have an earlier > connection (for example from same ip/port) using matching sni/host in your > logs ? Normally there should indeed be one. Cheers, Willy
