On Wed, Oct 9, 2019 at 6:04 AM Rob Sayre <say...@gmail.com> wrote: > On Wed, Oct 9, 2019 at 7:59 PM Salz, Rich <rs...@akamai.com> wrote: > >> >> - But, if I have Cloudflare (or any CDN) configured for a domain, and >> the origin is only available via IPv6, the need for a disambiguating SNI >> in >> the ClientHello from CDN to Origin is not clear. >> >> >> >> That assumes that there is a one-to-one correspondence between an origin >> and its certificate, which isn’t true. I might have “api.example.com” >> and “new-api.example.com” at the same IP address. >> > > I don't think that's quite what I'm proposing. I'm proposing (optionally) > sending the SNI with a client certificate. >
What are you trying to accomplish by doing that? -Ekr I agree that SNI in ClientHello is needed to choose server certificates for > IPv4, for the reason you say. > > thanks, > Rob >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
