[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnutls-dev] dnsname extension
From: |
Nikos Mavroyanopoulos |
Subject: |
[gnutls-dev] dnsname extension |
Date: |
Sat Dec 8 02:42:02 2001 |
gnutls from it's early versions supported a TLS extension called dnsname.
This extension is supposed to send (from client) to the server the dnsname of
the
server (much like http 1.1 does). This extension has the obvious advantage that
may allow TLS servers to use multiple certificates when doing virtual hosting
(Ie koko.hellug.gr, and test.hellug.gr are hosted in one IP but have two
different
X.509 certificates).
I though that adding this to gnutls might be a good idea. Now (after some
discussion
in the ietf-tls mailing list), I believe that this extension is really bad.
The virtual hosting problem is not TLS' problem but HTTPS' (rfc2818). It seems
that https
is designed in such way that it will not allow virtual hosting. Thus the
reaction
was to patch (or bloat) TLS to allow virtual hosting in HTTPS[0]. I think that
this
is a bad protocol design (it is similar to having a TCP or IP extension that
contains dnsname),
thus I plan to remove the dnsname extension before 0.3.0. I'd like to hear any
comments on this.
[0]: Alternatives to HTTPS is RFC2817 which does not have the problem of
virtual hosting.
--
Nikos Mavroyanopoulos
mailto:address@hidden
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [gnutls-dev] dnsname extension,
Nikos Mavroyanopoulos <=