On 09.01.2018 11:03, Dave Cridland wrote: > On 9 January 2018 at 04:19, Travis Burtrum <[email protected]> wrote: >> In my opinion, at least all of cannot-connect-to-port, non-XML, >> not-proper-stream and invalid TLS cert should trigger a fallback to the >> next highest priority SRV record. Everyone in the MUC seemed to agree >> if authentication fails a fallback would be a bad idea. > > What's the distinction between invalid TLS certificates and > authentication failure?
I think the issue here is that the service may present you the wrong (default) certificate because the client did not use ALPN (while it had present the correct certificate if the client had used ALPN). So it is not the typical "certificate is invalid because it expired or does not match expected service domain" case. Now assume that the service is equipped with a low priority SRV RR pointing to a non-ALPN port. Performing a fallback to that port seems sensible for non-ALPN clients. At least that is my understanding of the situation. - Florian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
