On Fri, Aug 22, 2014 at 09:55:04PM +0000, Viktor Dukhovni wrote: > A deeper problem occurs when the HTTP URI includes a port: > > http://example.com:8080/some/path > > In that case, what would the https URI be? The approproach would > work at best for just for 80/443, and not anything else. Indeed. Ideally START-TLS would just work (but it doesn't) and not cost an extra round trip (but it does). It might be the case that only TCPinc can save us here. Alternatively we should take the extra latency and pin whether the server supported START-TLS or not (if not, pin for a few hours, if yes pin forever). Not that pinning is free, mind you. Nico --