On Thu, Jun 19, 2014 at 08:52:43PM -0700, Kyle Hamilton wrote:
> Reasons include "how
> to identify when being called by an httpd that could be named anything",
Sorry, by "Apache", I meant any service that returns an unrecognized
name warning alert from the SNI callback, not specifically Apache.
> "how to identify the SNI callback versus any other callback",
That's easy, there is specific code in OpenSSL to make that callback
and process its result.
> "hacks
> are inherently not sustainable and must still be supported long after
> the offending version of the client has fallen by the wayside -- while
> creating additional security problems down the road".
That's a different argument. So the question is whether enforcing
the RFC recommendation to not send unrecognized name warning is a
"hack". Note, I am not advocating this with any conviction, just
restating the question in case it was unclear.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
