Re: [TLS] Multiple domain names in SNI (was Questions about TLS

To: tls at ietf.org
Subject: Re: [TLS] Multiple domain names in SNI (was Questions about TLS
From: Michael D'Errico <mike-list at pobox.com>
Date: Fri, 30 Oct 2009 11:39:56 -0700
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=bGa+UiQ7fr0G pHHPBj9pnAH30/M=; b=aqm/I1VTetID7XHQPV2UtNovs8GqMpTH+pvo8Xf7Ao1x CtkDqfw/6wn20uCrX/zxK2Bm6R/HPoL6cLkjMEu+hvw93cAQ5oXI8mPqP5ftjzHS 5qnFh98y4rM9LkqLN6lnaduJhbVGS/awLP8L9N8oVeGcp1LAABsuPBdUBbld6Vc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=gsdHan bl8bLMGBQTndSFiKnwfuuAcGiEYnIcsklAsye4uSkOJfUpPPvXYRsC6G9kBnCj7D KzmjQ8GDmlBQsp6x2mP73yxHNlViXql8uP9L4l41QOYdZas35gEgOyVbTC52/a66 rSzT+/eB/CHH5wSBSyqAEcrl83HPeAj+MdgnY=
In-reply-to: <200910301817.n9UIHuZX020355 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200910301817.n9UIHuZX020355 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

They could share IP addresses.

But the point is that you and I don't know for certain that there is
no possible requirement for a client to send multiple hostnames, so
imposing a limitation of only one hostname could preclude some future
application from being able to use TLS (without modifications or
private agreement).

If it was hard to implement checking for a match in a list, I'd agree
with you, but literally it is a simple while loop that calls your
lookup function for each name in the SNI extension.

Mike



Martin Rex wrote:

Michael D'Errico wrote:

Here's a possible reason for a client to include multiple domain
names in the SNI.  Suppose a user enters "foo.edu" into their
browser.  The browser may decide to send the two names "foo.edu"
and also "www.foo.edu" to the server in an attempt to connect on
the first try, rather than get rejected on the first connection
and have the overhead of retrying.


I'm sorry, I don't understand you scenario.

Current implementations of TCP can have only two communication peers,
not three and the TLS handshake works also only with two participants,
server and client.

The client MUST know which of the hostnames was used to open a particular
network connection, so there is NO situation where more than one name
should go into SNI here.

-Martin

Follow-Ups:
- Re: [TLS] Multiple domain names in SNI (was Questions about TLS
  - From: Martin Rex

References:
- Re: [TLS] Multiple domain names in SNI (was Questions about TLS
  - From: Martin Rex

Prev by Date: Re: [TLS] Renegotiation with SNI after initial connection without SNI (was Questions about TLS Server Name Indication extension)
Next by Date: Re: [TLS] Multiple Session Caches and SNI (was Questions about TLS
Previous by thread: Re: [TLS] Multiple domain names in SNI (was Questions about TLS
Next by thread: Re: [TLS] Multiple domain names in SNI (was Questions about TLS
Index(es):
- Date
- Thread

Re: [TLS] Multiple domain names in SNI (was Questions about TLS

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.