Ian, Ian G wrote:
That was my thought also. And what's more, Ben posted on my blog at https://www.financialcryptography.com/mt/archives/000463.html a week back that Apache 2.1 supports TLS upgrade - http://httpd.apache.org/docs-2.1/mod/mod_ssl.html#sslengine "New in Apache 2.1, SSLEngine can be set to optional. This enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1. At this time no web browsers support RFC 2817." The only thing I've ever run into in "the wild" that actually does TLS upgrade as a client is CUPS. Posted by: Ben at May 21, 2005 03:22 PM Sounds very cool and desirable, but it also sounds different to vhosts support. iang
RFC 2817 has serious security implications for clients, because it does not specify a distinct URL scheme for TLS upgrade. Browsers are left without a means to enforce encryption on the connection. It is up to the server to upgrade the connection to TLS - or not . I would say that the HTTP TLS upgrade protocol is flawed. For this reason, it should not be implemented in general-purpose browsers such as mozilla.
The TLS server name indication extension for CLIENT HELO does not have this security problem, and is the preferred solution to solve the problem of multiple server certs on a single IP/port .
_______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
