[openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Apr 19 19:23:16 UTC 2018
> On Apr 19, 2018, at 3:15 PM, Kurt Roeckx <kurt at roeckx.be> wrote:
>
> I think there might be some disagreement on how to go forward with
> having proper TLS in SMTP. I think Google might want to go with
> how it works for https, and so have certificates issued by a CA
> for hostname you try to connect to. I think you would like to use
> DANE instead. But I don't see DNSSEC or DANE getting wide adoption.
NO. That's simply not the case, in fact I've contributed significantly
to MTA-STS, and the use-case that fails here is NOT the DANE one (where
SNI is already specified), but rather legacy WebPKI auth for SMTP.
Please don't jump to conclusions or impute motives.
--
Viktor.
More information about the openssl-project
mailing list