> On Oct 9, 2019, at 9:04 PM, Rob Sayre <say...@gmail.com> wrote: > > On Wed, Oct 9, 2019 at 7:59 PM Salz, Rich <rs...@akamai.com > <mailto:rs...@akamai.com>> wrote: > But, if I have Cloudflare (or any CDN) configured for a domain, and the > origin is only available via IPv6, the need for a disambiguating SNI in the > ClientHello from CDN to Origin is not clear. > > > That assumes that there is a one-to-one correspondence between an origin and > its certificate, which isn’t true. I might have “api.example.com > <http://api.example.com/>” and “new-api.example.com > <http://new-api.example.com/>” at the same IP address. > > > I don't think that's quite what I'm proposing. I'm proposing (optionally) > sending the SNI with a client certificate. I agree that SNI in ClientHello is > needed to choose server certificates for IPv4, for the reason you say.
Are you suggesting: “In an IPv6 backend/origin scenario, the SNI should be sent along with client certificate instead of within ClientHello message”? From my understandings, either IPv4 or IPv6 should have nothing to do with the concept “virtual host”, so a client (say, a CDN node) connects to either an IPv4/IPv6 server (say, an origin server), the SNI should applies the same in the TLS layer. > > thanks, > Rob > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls Regards, Paul Yang
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
