[gnutls-dev] dnsname extension

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] dnsname extension

From:	Nikos Mavroyanopoulos
Subject:	[gnutls-dev] dnsname extension
Date:	Sat Dec 8 02:42:02 2001

 gnutls from it's early versions supported a TLS extension called dnsname.
This extension is supposed to send (from client) to the server the dnsname of 
the
server (much like http 1.1 does). This extension has the obvious advantage that
may allow TLS servers to use multiple certificates when doing virtual hosting
(Ie koko.hellug.gr, and test.hellug.gr are hosted in one IP but have two 
different
X.509 certificates).

I though that adding this to gnutls might be a good idea. Now (after some 
discussion
in the ietf-tls mailing list), I believe that this extension is really bad.
The virtual hosting problem is not TLS' problem but HTTPS' (rfc2818). It seems 
that https
is designed in such way that it will not allow virtual hosting. Thus the 
reaction
was to patch (or bloat) TLS to allow virtual hosting in HTTPS[0]. I think that 
this
is a bad protocol design (it is similar to having a TCP or IP extension that 
contains dnsname),
thus I plan to remove the dnsname extension before 0.3.0. I'd like to hear any
comments on this.


[0]: Alternatives to HTTPS is RFC2817 which does not have the problem of 
virtual hosting.

-- 
Nikos Mavroyanopoulos
mailto:address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[gnutls-dev] dnsname extension, Nikos Mavroyanopoulos <=

Prev by Date: [gnutls-dev] Re: API comments
Next by Date: [gnutls-dev] gnutls 0.2.91
Previous by thread: [gnutls-dev] gnutls 0.2.90
Next by thread: [gnutls-dev] gnutls 0.2.91
Index(es):
- Date
- Thread