On Mon, Aug 17, 2015 at 06:22:04AM -0400, Yaron Sheffer wrote:
> * Server Configuration: how does the client know to whom the
> configuration applies? For example if I connected to
> "*.example.com" (a wildcard cert) and now I connect to
> "srv.example.com", should I use the stored configuration?
Clients don't "connect to *.example.com", they connect to a specific
server, one of whose "presented identities" might be "*.example.com".
Since clients don't a priori know which certificates correspond to
which reference identities, they can't apply a configuration to
anything other than the exact peer for which it was obtained.
Section 6.2.2 speaks of "the server", and I think this needs to be
taken literally. Not some set of servers, but "the server". Of
course load-balancers might hide multiple servers behind a single
transport end-point, in which case the client may not be able to
distinguish between them, and it is then up to the server administrators
to ensure that any configurations are sufficiently "portable"
between the servers in the pool.
This is similar to the question of when to reuse cached sessions.
Postfix, for example, does not reuse a session established to one
IP address for a multi-homed host, to communicate with "the same"
host on another IP address (which might not in fact be the same
host). [ Even further, Postfix avoids re-using sessions when the
SMTP conversation prior to STARTTLS shows a different server name
in the EHLO reply. ]
So I think the current language is largely fine, with "the server"
meaning whatever the client uses to identify a single peer as best
it can.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
