On 2012-05-13 at 10:50 -0400, Edward Ned Harvey wrote: > I never heard of SNI before, but this is absolutely going the right > direction. So I would like to go do some experimentation, and/or > looking up which browsers support it... It is "The right thing to > do." In a philosophical sense.
What I found notable, after pimping SNI as an idea for some time after first seeing it in the TLS extension RFC, was that the first browser vendor to come out with support for it was Microsoft. Kudos to Microsoft. > Thanks for the suggestion... This one definitely warrants further > investigation... > http://en.wikipedia.org/wiki/Server_Name_Indication A few years ago (2009), I sent patches for a half dozen tools to their maintainers, adding SNI support, and they mostly got accepted. So if your OS is using decade-old releases of software, you may have issues, but for current releases, things are more favourable. (Perl's (Net::SSLeay/IO::Socket::SSL) changes went in quickly; Python wanted server-side support and I lost time to work on it, so that took someone else finishing it and SNI support is more recent there) FWIW, the next release of Exim will support SNI both as client and as server, being able to present different certs (using different keys, etc) based upon SNI presence, if Exim is built with OpenSSL. I'm working on the GnuTLS support to see if I can get that up to parity before cutting the first RC. This matters more for the Submission role of a mail-server, than for MX, where there's no cert validation currently feasible anyway. -Phil _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
