Timo Sirainen wrote:
On Jul 11, 2009, at 1:10 PM, Ed W wrote:
Actually, I'm coming in rather late, but I thought that was the whole point of TLS that you could decide what certificate to present AFTER you knew which client was connecting? This allows virtual hosting with a different SSL cert per host (current situation is rather difficult... I'm using a cert with multiple names on it, but this is hard to buy)
You mean that there could be multiple hosts in same IP? That extension has been talked about every once in a while, but nothing really ever happens because people just think Outlook is never going to implement it so there's no point in even trying.
I meant that you could have one server (one IP) and when a customer connects they can connect to mail.theirdomain.com (CNAME or A to mail.ourserver.com) and not see warnings about the SSL cert not matching the address they are connecting to (ie the generic problem)
Right now it requires a cert containing every possible destination server name on the single cert. This works, but it's hard to buy such certs. TLS (in general) offers the *possibility* to figure out what domain the customer is trying to connect to and present the correct cert up front.
Sadly it still seems to break for email because you need the customer to AUTH before upgrading to SSL and this isn't usually what they do...
By an extension I assume you mean there is actually some standard proposed to solve that bit of the puzzle, I wasn't even aware that was on the cards?
Anyway, the question was why does TLS exist at all, I presented the
answer that we have the *possibility* to present one of several certs.
I think this is a fair justification for the concept to exist. However,
I agree that exploiting the potential of TLS is still not there
As an aside, I see several other software projects now enabling the compression option when establishing an SSL connection - any chance you could look at enabling the relevant lines of code in Dovecot? We had this conversation some months/years back and it appeared simple on the dovecot side, but there is of course only still minimal client support (but at least we can break the chicken-egg situation)
Cheers
Ed W