On Wed, Oct 9, 2019 at 8:06 PM Eric Rescorla <e...@rtfm.com> wrote: > >> I don't think that's quite what I'm proposing. I'm proposing (optionally) >> sending the SNI with a client certificate. >> > > What are you trying to accomplish by doing that? >
I want to keep the SNI encrypted in TLS hops that use client certificates, but where ESNI won't work. For example, how is the SNI transmitted in the parens here: [ Client ] -----> (ESNI) -----> [ CDN ] -----> (???) -----> [ Origin ] I don't think a DNS-based solution like ESNI will work for that second hop, because the origin tends to be identified by an IP address rather than a domain name. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
