On Sun, Jun 25, 2000, Mads Toftum wrote:
> > AFAIK the TLS standard will be not changed for this. But there are drafts (or
> > are they already final RFCs?) which describe an "upgrade mechanism" for HTTP
> > connections which allows one to first send a plain HTTP request (including the
> > Host: field), then perform a step-up to SSL/TLS and then transfer the response
> > already encrypted. And because here the Host: header is seen before the
> > SSL/TLS handshake is performed, this implicitly solves the name based virtual
> > hosting issues.
>
> Yes, that was it.
> I don't really like the idea very much - it sounds like a dirty hack to me.
Yes, it is a hack, indeed. One only can say that this approach at least
nicely fits into the set of other SSL/TLS kludges for other protocols (SMTP's
STARTLS, Telnet's SSL support, etc ;) But that's all...
> And as long as none of the major browsers support it, there's not much fun
> in it at all (unless M$ suddenly choose to change that very fast ;-)
> I'd much rather see a solution along the lines of adding CNAME's to the
> certirficate as x.509v3 extensions[1] or alternatively just wait for ip v6.
Yes, agreed, Mads.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
