You and "SB" are in agreement. There is a middlebox terminating the TLS
connection with a cert chain signed by a root which is also installed on
the client. The middlebox in turn is connecting to a TLS Server whose
cert chains back to a webpki root. The middlebox is handling the
termination and re-encryption of the client's traffic.
In any case, SB's question was about whether this would trigger the ECH
retry behavior (yes, since it appears to the client as though the
middlebox is the server) and whether at least one client already
implemented it (yes, Firefox).
Best,
Dennis
On 10/10/2022 14:04, Salz, Rich wrote:
* In other words, the middlebox serves a cert to the client that is
cryptographically valid for the said public name of the client
facing server.
The only way that happens is if the middlebox **terminates the TLS
connection** In this case it is like my client<>cdn<>origin picture.
The middlebox cannot present a certificate and then hand-off a
connection to the server.
I must not be getting something important to you.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
