On Thu, Oct 10, 2019 at 10:53 PM Salz, Rich <rs...@akamai.com> wrote:
> > - For example, how is the SNI transmitted in the parens here: > > > > - [ Client ] -----> (ESNI) -----> [ CDN ] -----> (???) -----> [ Origin > ] > > > > It is transmitted in the clear. There is no architectural reason why it > could not be ESNI. But in my experience, there’s not much point in it, > either. > I am not sure I agree. > > > What do you mean by client cert? The CDN->Origin hop cannot present > original Client’s certificate... > That's true. I was talking about something like this: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls Only the CDN is authenticated in that situation. > > > > - I don't think a DNS-based solution like ESNI will work for that > second hop, because the origin tends to be identified by an IP address > rather than a domain name. > > > > In our experience, the origin is identified by a DNS name. I could > double-check, but I don’t think **any** of our customer origins are > identified by IP address. > How does that work without introducing a CDN loop? Do you require the origins to have obscure domain names? FWIW, the Cloudflare control panel just has an IP address field. :) thanks. Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
