On 07/07/2016 10:41 AM, Steve Hill wrote: > Realistically, shouldn't the SNI reflect the DNS request that was made > to find the IP of the server you're connecting to? You would never make > a DNS request for '*.example.com' so I don't see a reason why you would > send an SNI that has a larger scope than the DNS request you made. My DNS request was for coordinator.example.com. Since I wrote both sides of the software, I know that the SSL server on that hostname will direct me to the "best" internal *.service.example.com if I ask it to do that by sending a wildcard SNI. That "SSL routing" will be based on some internal business logic unavailable to the DNS resolver. Is this design a good idea? No. Is this bad idea "realistic"? Evidently, it is. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
