Hi Peter, Many thanks for your answer. I totally agree that classical usage is to fill with FQDN.
Here is the example... Imagine one https server with a single dns name (app.haxx.se) and you are not allowed to create a second entry. The server has to accept data POST from users. Some of the users need to auth by basic login/pass and others using client certificates. The request of the client certificate must be initiated by the server during TLS handshake. So the server needs to know whether to require client cert at the very beginning of the transaction. The idea is to fill the SNI field with a hint for the server on which way to handle the request (similar as when you have two virtual hosts on same http server). RFC mentions the possibility for the server to use SNI to "guide its selection of an appropriate certificate to return to the client, and/or other aspects of security policy" which is exactly what I'm trying to achieve here. So in my example we can imagine : - basic auth user sending to https://app.haxx.se, with SNI app.haxx.se - users with certs still sending to https://app.haxx.se, but with another SNI like for instance app-ssl.haxx.se Using SNI is the simplest way I see to solve the issue (and it is working in my environment). Of course other ideas are welcome. Last point is that offering an extra option to have advanced control over SNI in libcurl does not break anything anyway, provided of course default behavior remains the same. Matthieu _________________ Date: Mon, 09 Aug 2010 11:20:01 +0200 From: Peter Sylvester <[email protected]> To: [email protected] Subject: Re: Manual setting of TLS Server Name Indication Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed By design of the protocol extension, the SNI value is supposed to be derived from the host portion of the URL in case it is not an IP address, and it supposed to be an FQDN that at least could be in the DNS (i.e. the owner of the IP address has the authority). gatewaying or proxying using SNI is not a goal of this extension. What do you mean multiple virtual hosts sharing a single DNS entry? Do you have a real life example? ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
