curl-library
Re: [PATCH] support for server name indication (RFC 4366)
Date: Wed, 13 Feb 2008 11:46:20 +0100
Yang Tse wrote:
> Nearly all TLS extensions introduce a lower security/privacy SSL
> framework than when not used at all. So TLS extensions should be
> explicitly requested and not turned on by default. The security
> considerations are described in RFC 4366 section 6.
>
>
This applies to the TLS middle layer, i.e. the SSL machinery, not to the
applications or next layer middleware.
Why must an application permit end users to turn on/off certain features?
In this particular case: The security risk is what in this case?
If a single server hosts several domains, then clearly it is
necessary for the owners of each domain to ensure that this satisfies
their security needs. Apart from this, server_name does not appear
to introduce significant security issues.
The SNI extension is an addressing hack above the TCP layer,
with a similar purpose as the Host: header since the mapping of
host name to IP address/port is not an injection.
BTW: I am not sure but the provided patch should verify whether the
host part of the URL is an IP address or a DNS name. Only DNS
names are supported by the extension.
The application, i.e. curl must also respect the issue of internationalized
DNS names, I am not sure whether this is an issue for curl.
-- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature