Re: [exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clie…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clients


> On Apr 17, 2018, at 4:37 PM, admin--- via Exim-dev <exim-dev@???> wrote:
>
> SNI for a DANE-advertising site has to be different than one that does not?
> Sheesh. Does that not implicitly require that _all_ clients be DANE-aware,
> or that _all_ DANE-advertising hosts be prepared to be hit with SNI from
> non-DANE-aware clients (and still do the right thing)?
>
> I think SNI just became useless.


A host with TLSA records should expect DANE clients to send the MX hostname
as the SNI name. Other clients might use other SNI names or none at all.
I don't see how SNI becomes useless. If you've got a matching cert, send
that, if not send a default cert.

-- 
    Viktor.