OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: TLS SNI support

From: DTNX Postmaster (postmasterdtnx.net)
Date: Fri Nov 07 2014 - 00:58:03 CST


On 07 Nov 2014, at 07:28, Peter <peterpajamian.dhs.org> wrote:

>> and it is smart do it that way
>>
>> other than for webservers you have not different contents for different
>> hostnames but mandatory user authentication - so why waste time and
>> money dealing with different hostnames and certificates?
>
> I understand where you're coming from, it is a purely cosmetic
> difference which affects one setting in a user's email client, but that
> one setting is rather important to a lot of people.

In my experience, the user sets it once, and then completely forgets
about it. And if it is that important to them, why not pay extra for
it? Oh, wait, do you mean it costs extra? Never mind, then, not so
important anymore ;-)

I reckon that if you could get reliable data beyond 'a lot of people',
it'd be a very small group that would insist on it.

Anyway, do you have an example of a legitimate need for SNI, one that
cannot be addressed by using a multi-domain certificate, adding extra
IP addresses and splitting it that way, or using Victor's port example?

Mvg,
Joni

--

P.S.: Running alternate configurations on non-standard ports is
actually suboptimal, given how many clients autodetect the port to use,
these days. But that brings us back to the other two options.