On 24 March 2017 at 12:29, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> I've never seen
> a TLS server that has multiple chains to choose from for the same
> server identity.
I didn't have to look far. www.cloudflare.com will switch hit and
pick RSA or ECDSA on demand:
$ ./tstclnt -h www.cloudflare.com -p 443 -D -b -C
==== certificate(s) sent by server: ====
Certificate:
Data:
Serial Number:03:61:3e:ff:c0:fb:82:d6:a4:d8:45:8e:8f:18:04:3a
Signature Algorithm: X9.62 ECDSA signature with SHA256
Issuer: "CN=DigiCert ECC Extended Validation Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US"
Validity:
Not Before: Fri Oct 28 00:00:00 2016
Not After : Fri Nov 02 12:00:00 2018
Subject: "CN=cloudflare.com,O="Cloudflare, Inc.",L=San
Francisco,ST=CA,C=US,postalCode=94107,STREET=101
Townsend,serialNumber=4710875,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private
Organization"
Fingerprint (SHA-256):
12:C4:A5:74:7E:D5:6E:37:2C:87:89:02:25:E4:CD:51:89:6D:8E:AD:7D:55:CF:76:BF:D1:9B:6B:74:6C:70:D0
$ ./tstclnt -h www.cloudflare.com -p 443 -D -b -C -c :009c
==== certificate(s) sent by server: ====
Certificate:
Data:
Serial Number:01:bf:d1:dc:15:00:6e:0a:bb:a7:c6:70:ff:5e:11:01
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=DigiCert SHA2 Extended Validation Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US"
Validity:
Not Before: Fri Oct 28 00:00:00 2016
Not After : Fri Nov 02 12:00:00 2018
Subject: "CN=cloudflare.com,O="Cloudflare, Inc.",L=San
Francisco,ST=CA,C=US,postalCode=94107,STREET=101
Townsend,serialNumber=4710875,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private
Organization"
Fingerprint (SHA-256):
30:BA:61:01:2F:FE:7C:EA:AF:9A:14:8A:0C:B0:C5:C8:52:A9:C0:4F:4B:1C:27:DB:6E:FA:99:19:C7:F4:9C:CF
I just had to ask nicely. I'm pretty sure that there are more out
there on the web; I'm sure that mail is a whole different proposition.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
