On 2019-09-13 18:48, Tom Sommer wrote:
On 2019-09-13 15:25, William A Rowe Jr wrote:
Would we agree that the correct error response to any TLS handshake
omission simply be a 400 error, and not an error that indicates some
authnz configuration trouble? Does that make it more obvious that the
error log needs to be inspected at info, or debug level?
A 426 response would seem to be appropriate for TLS 1.0/1.1 but it
doesn't have the granularity to ask that a legit TLS 1.2 connection
missing SNI needs to upgrade. Seems 400 might be best.
I think this is a great idea and compromise.
Is there something I can do to contribute, so this moves forward? A bug
report or something?
Thanks
---
Tom
