[arin-ppml] Fairness of banning IPv4 allocations to somecategoryof organization

Shumon Huque shuque at isc.upenn.edu
Wed Oct 14 13:03:48 EDT 2009


On Sun, Oct 11, 2009 at 12:31:52PM -0400, William Herrin wrote:
> 
> Https, for example, does not function properly without a different IP
> address for each hostname because the SSL certificate for the server
> name must be offered to the browser before the HTTP 1.1 server name is
> transmitted by the browser.

It's possible to support this, with more modern SSL/TLS implementations.
See the TLS "Server Name Indication" extension (RFC 4366, Section 3.1),
which a client can use to pass the server name during the TLS handshake. 
Most modern browsers today already support this. Apache either already 
supports it, or (last time I checked) had patches floating around.

Even without SNI, you can make this work with a single certificate with 
multiple subjectAltName dnsname fields populated with the various server 
names.

--Shumon.



More information about the ARIN-PPML mailing list