On Tue, Aug 11, 2009 at 4:11 PM, kami petersen<[email protected]> wrote: > I'd like to propose that relayd be made to accept > > /etc/ssl/hostname.crt > /etc/ssl/private/hostname.key > > as well as what's currently looked for: > > /etc/ssl/IP-address.crt > /etc/ssl/private/IP-address.key > > Currently it is possible to specify hostnames in relay specifications > but it seems that they are resolved to IP-addresses before relayd is > looking for certs.
Do you understand that in SSL, the server has to decide what certificate to send to the client based on just the remote and local IPs and ports? Given that, how should the server decide what certificate to send? Yes, there's an extension to TLS that lets the client send the server the "server name identifier" as part of the first handshake message, but it's still relatively unsupported. In particular, it's unsupported by the version of OpenSSL in OpenBSD and even if you have it you have to decide how you handle connections that don't use it. There's also the complicated question of what the security policy of its use is: is a client allowed to request any hostname the server knows of or should it be limited to a subset of them? Philip Guenther
