> There may be an issue with proxies. The CONNECT would not have > the same hostname as the SNI. Some firewalls might filter this.
Agree. I think that would not be very easy to do anyway since when the firewall receives the session it would not have any clue of the intended hostname (apart from SNI), so nothing really to compare with at this time. If the firewall/proxy also seats in the middle of the TLS (meaning it has certs and doing back-to-back TLS), it could of course buffer SNI and compare with "Host:" header and drop the connection if not matching. I'm not aware of any firewall/proxy checking this though. However IMO this is another point in favor of Daniel's idea. > There is another possibility in the server: Like it is done in apache, > based on the directory portion of the url, one initiates a renego, > this is a slight performance pb and one has to correctly buffer > the request. Already tried that and... faced lots of issues when implementing rehandshaking. I don't say it is not possible but this proved to be complex, on top of the performance pb. > Furthermore, a server can always request a cert, and then accept > a response without it and require basic auth then. One does > not need to distinguish very early. > If there is no matching client cert, a normal browser just doesn't > respond with one, one tolerates that and the server > asks for basic auth. Agree. On my first experiments, before I imagined the SNI solution, I tried this and I faced issues with browsers when they get a cert request and have none to present. Some (like Chrome) even dropped the connection... I did some more experiments on your idea yesterday though. It seems that all depend on whether the server is giving a hint to the browser regarding the CA certificates it knows. If nothing is specified (meaning that in theory the browser could present *any* client certificate and let the user choose and the server check...), I still have the issues mentioned before. However, if the server sends a specific CA cert that the client must match, it appears that browsers don't complain if they have no matching client cert, and follow-up silently without sending anything. So, in this second case, I finally have a scenario which looks good for me. Thanks for pushing me to have a deeper inspection on this track. At the end of the day one question remains, is Daniel's idea worth implementation or not ? Matthieu ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
