On Fri, Jun 02, 2017 at 10:43:00AM +0200, Toerless Eckert wrote: > Thanks, Benoit > > [hope it's ok. to cross-port and redirect replies to TLS] > > I have not followed TLS 1.3 in detail, so a quick question first: > > Will TLS 1.3 still permit servers to send their certificate and/or SNI in the > clear as an option or > will it force server operators to encrypt either/or ? If it does not permit > server applications > to indicate what to encrypt, then i would really love to know which shared > web-hosters did > explicitly express support for TLS 1.3.
SNI is always in the clear, certificates are always encrypted. There was lots of discussion about SNI encryption, but encrypting SNI turned out to be too nasty. > Web hosters whose services do share IP addresses across domain name should be > very interested to > ensure such inspection works, because else a single misbehaving web-service > they host will easily > cause all their web-services to be blacklisted by any of the varied > organizations that create > blacklists: because blacklisting can then only be applied on a per-IP address. At least GSB can blacklist even at page granularity (I have seen such blacklisting, in that case due to images being loaded from "shady" sites.) -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
