[gnutls-dev] dnsname extension
Nikos Mavroyanopoulos
nmav@hellug.gr
Sat Dec 8 02:42:02 2001
gnutls from it's early versions supported a TLS extension called dnsname.
This extension is supposed to send (from client) to the server the dnsname of the
server (much like http 1.1 does). This extension has the obvious advantage that
may allow TLS servers to use multiple certificates when doing virtual hosting
(Ie koko.hellug.gr, and test.hellug.gr are hosted in one IP but have two different
X.509 certificates).
I though that adding this to gnutls might be a good idea. Now (after some discussion
in the ietf-tls mailing list), I believe that this extension is really bad.
The virtual hosting problem is not TLS' problem but HTTPS' (rfc2818). It seems that https
is designed in such way that it will not allow virtual hosting. Thus the reaction
was to patch (or bloat) TLS to allow virtual hosting in HTTPS[0]. I think that this
is a bad protocol design (it is similar to having a TCP or IP extension that contains dnsname),
thus I plan to remove the dnsname extension before 0.3.0. I'd like to hear any
comments on this.
[0]: Alternatives to HTTPS is RFC2817 which does not have the problem of virtual hosting.
--
Nikos Mavroyanopoulos
mailto:nmav@hellug.gr