On 11/07/2014 02:50 PM, Viktor Dukhovni wrote: > I think SNI-based virtual hosting stinks, and I'd hate to encourage > its use. Particularly for MX hosts it is FAR more sensible to just > use a fixed MX hostname for multiple domains.
It's pointless for MX hosts because they don't validate the certificate anyways. > The plausibly sensible use-case for SNI with SMTP is for submission > servers. This is where it would make sense, imo. > Thus updating the submission server would require changes in the > email settings of all users. So when submission services are > hosted, the name of the submission host is usually kept fixed. I don't really see why. The SNI hostname can, and probably should, be used purely for selecting the server certificate to present. Once TLS is established then the certificate has been validated and we can get on with the SMTP session in the same exact way we would without SNI. > Mind you, hosting of submission servers across organizational > boundaries, typically means rather unnatural sharing of private > keys, while hosting within a single organization, is perhaps poor > planning, since a single MSA hostname could have been communicated > to all users as each domain was registered. I do have to agree with this, but I also see a lot of users requesting SNI both here on the mailing list and on IRC lately. This is why I personally think it is probably time to look into implementing it. I do try to offer up alternatives to SNI, but people seem to be increasingly adamant that they want SNI as a solution. Whether it's an ideal solution or not is certainly up for debate, but the demand is there. > I don't want to support SNI until it actually works correctly in > mainstream OpenSSL releases on actual operating systems. I think > we can revisit this in due course. I seem to see this argument a few times in this thread, but I have yet to really see (or perhaps I just don't understand) what the actual issue is with the current SNI implementation in openssl. Is it not good enough for people to be able to simply present the correct server certificate for the domain name requested? I honestly think that's all that people want it for, to get rid of the scary "invalid certificate" popup that people see when submitting mail. Peter
