[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Server Name Indication?



     1) Adding the constants to GSKSSL_H is no big deal, of course.   But,

    I'll need to know which.

   ------

   Id add everything thats not there.  These for sure:

   GSK_SSL_EXTN_SERVERNAME_REQUEST (230)

   GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST (231)

   GSK_SSL_EXTN_SERVERNAME_LIST (232)

   GSK_SSL_EXTN_SERVERNAME_CRITICAL_LIST (233)

   -----

      2) This won't be supported on older releases of IBM i, so we'll need
   to
      figure out how to handle that.  My thinking is that we would just
   call
      gsk_set_attribute_buffer() and ignore any errors it returns.  Older
      systems that don't include this functionality could just ignore it.
      (We'd log it to the debug log, though, in case someone had problems
   due
      to this, then we could see what's going on..)
   -----

   I agree.

   -----

      3) It looks to me that the difference between
      GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST and
      GSK_SSL_EXTN_SERVERNAME_REQUEST is that the 'CRITICAL' one will fail
   to
      connect to any server that does not use SNI.  So, it seems to me
   that
      we should use the non-critical one in HTTPAPI, unless there's a
   reason
      that we want to force the use of SNI (which I don't think would be a
      good default, but could be enabled by the caller by calling a
      http_force_sni() procedure or something like that.)   Is there a
      situation where forcing this to be 'critical' is important?

   -----

   I dont know.  IBM told me that either 230 or 231 should work.  I havent
   tried 230 yet.  I will do so.

   -----
      4) I don't like the idea of adding this to https_init(), because
      https_init() establishes an environment for use in multiple HTTP
      requests (to different servers).  It seems to me that this is more
      appropriate to CommSSL_Upgrade().  Will that work?   Or can this
   only
      be set at the environment level?

   -----

   I will call it from CommSSL_Upgrade and let you know.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------