Hi Nelson, Nelson B wrote:
Right, but on the server side it's not a viable option yet and still in the development branches as for example https://sni.velox.ch/ can show you.Well, then let me introduce you to "Server Name Indication" (SNI). It's SSL on port 443 (could be any port, such as the port for IMAP-over-SSL, that negotiates SSL before starting the application protocol [http, IMAP, etc.]).
The client tells the server, in the SSL/TLS "client hello", the name of the server that it's trying to contact at that address/port. The server then uses that information to switch to the virtual host named in the SNI, and also to switch to the certificate for that virtual host. Each Virtual host has its own certificate. The server sends to the client the cert for the virtual host that the client wants to see. The client sees no host name mismatch. Everyone is happy.
Yes, this was long overdue....
Which means that at least 60 % of all clients don't support it yet. It's not there yet and it will take some time until real hosting providers can rely on that and deploy without fear...just imagine supporting only 40% of all clients/browsers ;-)NSS supports SNI on the client side. Mozilla browsers have supported SNI beginning with FF 2.0. It's just in there. No feature to enable. It's incompatible with SSL2, so SSL2-format client hellos must be disabled to use it, and they are disabled (by default) in FF2.Vista supports SNI, too (it's tied to the SSL code in the OS, not to the browser version, so XP users of IE7 don't get the feature, AFAIK).
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
