Hi,
provided the middlebox is authoritative (has a valid TLS certificate for
the server in question), then Firefox will carry out the described retry
behavior. Currently all ECH support is disabled behind a pref by
default, but you can enable it by setting network.dns.echconfig.enabled
to tru
“Authoritative” is not the same as having “a valid TLS certificate for the
server”. Everyone can get the certificate of a TLS server.
From: TLS On Behalf Of
ietf=40dennis-jackson...@dmarc.ietf.org
Sent: Monday, October 10, 2022 10:15 AM
To: tls@ietf.org
Subject: Re: [TLS] Securely disabling ECH
* In other words, the middlebox serves a cert to the client that is
cryptographically valid for the said public name of the client facing server.
The only way that happens is if the middlebox *terminates the TLS connection*
In this case it is like my client<>cdn<>origin picture. The middle
You and "SB" are in agreement. There is a middlebox terminating the TLS
connection with a cert chain signed by a root which is also installed on
the client. The middlebox in turn is connecting to a TLS Server whose
cert chains back to a webpki root. The middlebox is handling the
termination and
