On Fri, Oct 11, 2019 at 10:28 AM Salz, Rich <rs...@akamai.com> wrote:
> *>*Isn't that more complicated than sending the SNI in the second client > message, though? > > > The server needs to know which cert to use after it receives the **first** > client message. > If the CDN ---> Origin traffic is IPv6, there's no need to serve multiple certs from one IP address. But, if the original request was for "username.example.com" to a CDN IPv4 address shared by many sites, my question is how "username.example.com" would reach the origin and remain encrypted. I think a few people have suggested uploading ESNI keys to the CDN, but it's not clear to me what domain they would be for. Maybe the best thing to do is just set up a site that documents whether the CDN is sending SNI in the clear. I'm not really attached to any given solution, but that will probably help them find one. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
