On Mon, Oct 25, 2021 at 02:58:32PM +0300, Yaron Sheffer wrote: > This is a relatively small rev from -02, with more clarity on key > limits and mitigation of Triple Handshake (extended_master_secret). > > Our open issues are at https://github.com/yaronf/I-D/issues - fell > free to comment or open new ones. > > On 10/25/21, 14:53, "uta-boun...@ietf.org on behalf of > internet-dra...@ietf.org" <uta-boun...@ietf.org on behalf of > internet-dra...@ietf.org> wrote: > > > Filename : draft-ietf-uta-rfc7525bis-03.txt
"It is also RECOMMENDED that clients abort the handshake if the server acknowledges the SNI hostname with a different hostname than the one sent by the client." AFAIK, this can not happen. From RFC 6066: "In this event, the server SHALL include an extension of type 'server_name' in the (extended) server hello. The 'extension_data' field of this extension SHALL be empty." So the server can not acknowledge name different from what the client sent. Then there are some servers that do take client server_name into account, but fail to acknowledge that. Server certificate (if raw public keys are not used) is supposed to be valid for the SNI hostname, but it can be valid for other names as well. So it is not really acknowledgement for the SNI hostname. However, it would make sense for clients to abort if server certificate is not valid for sent SNI hostname. -Ilari _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
