You and "SB" are in agreement. There is a middlebox terminating the TLS
connection with a cert chain signed by a root which is also installed on
the client. The middlebox in turn is connecting to a TLS Server whose
cert chains back to a webpki root. The middlebox is handling the
termination and
* In other words, the middlebox serves a cert to the client that is
cryptographically valid for the said public name of the client facing server.
The only way that happens is if the middlebox *terminates the TLS connection*
In this case it is like my client<>cdn<>origin picture. The middle
“Authoritative” is not the same as having “a valid TLS certificate for the
server”. Everyone can get the certificate of a TLS server.
From: TLS On Behalf Of
ietf=40dennis-jackson...@dmarc.ietf.org
Sent: Monday, October 10, 2022 10:15 AM
To: tls@ietf.org
Subject: Re: [TLS] Securely disabling ECH
Hi,
provided the middlebox is authoritative (has a valid TLS certificate for
the server in question), then Firefox will carry out the described retry
behavior. Currently all ECH support is disabled behind a pref by
default, but you can enable it by setting network.dns.echconfig.enabled
to tru
