On Wed, Oct 9, 2019 at 7:59 PM Salz, Rich <rs...@akamai.com> wrote: > > - But, if I have Cloudflare (or any CDN) configured for a domain, and > the origin is only available via IPv6, the need for a disambiguating SNI in > the ClientHello from CDN to Origin is not clear. > > > > That assumes that there is a one-to-one correspondence between an origin > and its certificate, which isn’t true. I might have “api..example.com” > and “new-api.example.com” at the same IP address. >
I don't think that's quite what I'm proposing. I'm proposing (optionally) sending the SNI with a client certificate. I agree that SNI in ClientHello is needed to choose server certificates for IPv4, for the reason you say. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
