Re: [TLS] Multiple domain names in SNI (was Questions about TLS

Martin Rex <Martin.Rex@sap.com> Fri, 30 October 2009 18:17 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8812E3A68AA for <tls@core3.amsl.com>; Fri, 30 Oct 2009 11:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.164
X-Spam-Level:
X-Spam-Status: No, score=-6.164 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZsnHxUCrCzpq for <tls@core3.amsl.com>; Fri, 30 Oct 2009 11:17:41 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 7D0DF3A6767 for <tls@ietf.org>; Fri, 30 Oct 2009 11:17:41 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id n9UIHvsJ012845 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Oct 2009 19:17:57 +0100 (MET)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200910301817.n9UIHuZX020355@fs4113.wdf.sap.corp>
To: mike-list@pobox.com (Michael D'Errico)
Date: Fri, 30 Oct 2009 19:17:56 +0100 (MET)
In-Reply-To: <4AEB126F.2090105@pobox.com> from "Michael D'Errico" at Oct 30, 9 09:21:03 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Multiple domain names in SNI (was Questions about TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2009 18:17:42 -0000

Michael D'Errico wrote:
> 
> Here's a possible reason for a client to include multiple domain
> names in the SNI.  Suppose a user enters "foo.edu" into their
> browser.  The browser may decide to send the two names "foo.edu"
> and also "www.foo.edu" to the server in an attempt to connect on
> the first try, rather than get rejected on the first connection
> and have the overhead of retrying.

I'm sorry, I don't understand you scenario.

Current implementations of TCP can have only two communication peers,
not three and the TLS handshake works also only with two participants,
server and client.

The client MUST know which of the hostnames was used to open a particular
network connection, so there is NO situation where more than one name
should go into SNI here.

-Martin