Enrico Weigelt wrote:
What fools are sitting there in the IETF ?! Couldn't they just define a new protocol (probably running on its own port) which allows specifying additional headers *before* SSL handshake starts or another SSL version, which allows passing additional info from client->server before certs are exchanged/checked ? Life could be so easy this way - probably too easy ...
You forget that there is a trust issue here. SSL brings with it not only encryption, but certification of the data that's being sent. If the SSL protocol somehow allowed external unprotected and untrusted information (like the name of the virtual host as you propose) into the equation, you would lose the whole point of the SSL.
Life is really simple right now - SSL happens on one layer, and HTTP happens on the layer above that.
Well, that were the same folks who invented IPSEC, which is not NAT'able.
Again, IPSEC guarantees that packets have not been tampered with, and NAT tampers with packets, so it definitely won't work (although work has been done to work around this problem). Don't forget the purpose of SSL: verification that data has not been tampered with.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
