> From: "David Schwartz" <[EMAIL PROTECTED]>
>
> davids> > TLS doesn't support name-based virtual servers either.
> davids>
> davids> Someone needs to yell at the TLS working group! A
> davids> chance to 'automatically' add support for name-based virtual
> davids> hosts to all protocols layered on top of TLS is too good to
> davids> give up. It would take decades to add that support to each
> davids> protocol individually.
>
> I'm not sure that's the right way to go, for a very simple reason: if
> that would be done, you'd need to either add some kind of TLS
> recognition mode in all servers, and that will be tricky, especially
> for those protocols that are already binary in nature, or the number
> of required ports will double instantly, since the other logical
> alternative is to have separate ports for the protocols over TLS, and
> with the growing amount of services, there will be a shortage of
> ports, if we aren't there already.
I don't understand what you're saying. Isn't TLS based upon an extensible
binary encoding scheme where you can add any fields you want and
implementations that don't understand the new fields simply ignore them?
> This is why upgrading to TLS within the original protocol is a better
> idea, as stated in RFC2817, among others. After all, it wouldn't be
> that difficult to write a small routine library that deals with this
> kind of upgrade, or so I imagine...
I don't understand what problem it is you're trying to solve -- maybe I'm
just being dense. What I'm saying is that TLS should have some way to
specify the host. Higher levels invoking a TLS connection should be able to
specify the host name. Higher level protocols invoked by a TLS layer should
be able to interrogate the TLS layer for that information.
It's precisely analogous to the way you can currently specificy which
client ID to use and you can ask what cipher is being used. The TLS
propogates this information from the client to the server. The client
provides the information, if it has it. The server can get the information,
if it requests it.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
