Kai,
On 2/7/2012 12:58, Kai Engert wrote:
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
That's definitely an incorrect assumption to make.
There can be a very large number of different certs on a single port/IP
combination.
The server name indication extension is one reason - there may be
different certs for different values of SNI.
Different cipher suites in the ClientHelo message as previously
mentioned can lead to certs with different KEAs.
Load balancers are yet another reason - you may end up connecting to
separate servers which could have their own separate certificates -
though not necessarily, the keys and certs could just be cloned across a
server farm .
The new Oracle Traffic Director product, which is NSS-based, supports
all the above different configurations.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
