Thank you Dennis. Will give it a try. Best regards, SB
On Mon, Oct 10, 2022 at 11:07 AM Dennis Jackson <ietf= [email protected]> wrote: > You and "SB" are in agreement. There is a middlebox terminating the TLS > connection with a cert chain signed by a root which is also installed on > the client. The middlebox in turn is connecting to a TLS Server whose cert > chains back to a webpki root. The middlebox is handling the termination and > re-encryption of the client's traffic. > > In any case, SB's question was about whether this would trigger the ECH > retry behavior (yes, since it appears to the client as though the middlebox > is the server) and whether at least one client already implemented it (yes, > Firefox). > > Best, > Dennis > On 10/10/2022 14:04, Salz, Rich wrote: > > > - In other words, the middlebox serves a cert to the client that is > cryptographically valid for the said public name of the client facing > server. > > > > The only way that happens is if the middlebox **terminates the TLS > connection** In this case it is like my client<>cdn<>origin picture. > The middlebox cannot present a certificate and then hand-off a connection > to the server. > > > > I must not be getting something important to you. > > > > _______________________________________________ > TLS mailing [email protected]https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
