Ilari Liusvaara wrote: > On Fri, Mar 10, 2017 at 09:25:41AM +0100, Martin Rex wrote: >> >> You don't understand the purpose of SNI and how the (already weak) >> rfc2818 section 3.1 server endpoint identification and CABrowser Forum >> public CA Domain validation has been designed to work. > > SNI has extremely little to do with public CA domain validation, > except for special validation certificate selection in some > methods.
SNI is the TLS-standard for clients to tell the server "This is the DNS-Hostname, which I will use for rfc2818 section 3.1 server endpoint identification. If you have multiple server certificates to choose from, you may want to consider this SNI value for choosing the server certificate to use for this TLS handshake". CABrowser-Forum defines the rules which browsers implemenent on top of rfc2818 section 3.1 server endpoint identity checks of server certificates. btw. SNI explicitly excludes IPv4 and IPv6 address matching that is defined in rfc2818 section 3.1 as alternatives to DNS Hostname matching. -Martin _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
