On Jul 10, 2004, at 11:13 PM, Greg Hudson wrote:
>> the server ignores the `url' argument and responds with
>
> Here we have a dilemma. Either:
>
> * The client provides the URL before TLS negotiation, which allows
> the
> server to use a different certificate and client cert database for each
> repository, but doesn't protect the URL from eavesdropping or
> modification. (The URL could be specified again in the TLS-protected
> stream to prevent modification.) Or,
>
> * The client does not provide the URL before TLS negotiation, so the
> URL is protected. But the server's certitificate and client cert db is
> fixed for all repositories.
>
I would suggest #2.
There already an extension to TLS defined to allow supplying a server
name during the initial client 'hello' to the server, which allows the
server to choose the certificate with which to reply. I do not think
openssl supports this yet, however gnutls does.
-David Waite
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Jul 11 14:14:46 2004