On 2009.11.16 at 12:22:13 -0500, Crypto Sal wrote: > On 11/16/2009 03:46 AM, H?cber C?rdova wrote: >> Since 0.9.8f OpenSSL supports SNI (server name indication) TLS >> extension. Support of this extension in mod_ssl is discussed on >> httpd-...@apache.org for years, and even if it haven't yet got into >> release, you definitely can find patches in the apache bugzilla. >> >> So, it is theoretially possible for Apache to know name of virtual host >> on the stage of TLS handshake. But only if browser supports this >> extension (it seems that all modern browsers do). >> > Hello, > > I'll disagree with you on all the modern browsers do part. SNI is not > supported on Windows XP (only Vista on up). This affects IE 6 through IE
Do you consider Windows XP's schannel.dll (which was released in 2003) modern? I'd rather disagree. I'd like situation where six year old software is considered modern, but alas, our world is changed too fast. Note that i've said "theoretically possible". Unfortunately there is no other way to make this theory practical than to start use SNI on popular sites making them inaccessable from outdated versions of Windows. Probably this would cause somebody (may be not microsoft, may be Google or someone else) to ship upgraded version of schannel.dll (which would be also able to use modern ciphersuites if there are CSPs with modern, EC-based algorithms installed in the system). Really, all russian firms which sell GOST-based cryptoproviders have to ship their own schannel.dll replacements, because schannel.dll from XP, not to mention earilier verisons of windows, is not able to use GOST ciphersuites out of the box. > 8, Safari and Google Chrome [or any client that relies on Windows > Crypto] (Which by all definitions IE8, Safari 3+ and Google Chrome ARE I've thought that most part of Safari installation base is on Mac OS X, where there is no Windows Crypto anyway, > modern browsers) Firefox 2x+ and Opera 8+ are unaffected because they > are "on their own". > Also, in 0.9.8f, SNI is not enabled by default. I do believe that it is > as of 0.9.8j that this is the case. Fortunately, OpenSSL is not Microsoft crypto. Anybody is able to build it with any options one want. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
