Author dstufft
Recipients Dima.Tisnek, Dolf.Andringa, dstufft, exarkun, giampaolo.rodola, grooverdan, janssen, jcea, markk, mnot, ncoghlan, pdp, pitrou, sag47, scott.tsai
Date 2014-03-20.12:58:01
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395320281.97.0.796326650203.issue5639@psf.upfronthosting.co.za>
In-reply-to
Content
It's somewhat of a grey area of security feature. It's not directly a security feature but if you don't have SNI and you hit a site that requires it then your error message is going to be something like what people run into with PyPI[1] which is "Cannot verify pypi.python.org, does not match hostname *.a.ssl.fastly.net". At this point most people go "What?" and assume the site is at fault and disable verification. Even more frustrating is this is going to work fine in their browser. The answer of how to actually verify this is without SNI is (once you even figure out the problem is SNI, which is non obvious) verify against what's actually in the CN of the cert, and send a Host header for what site you actually want. So while it is not strictly a security feature, it is fairly important for reasonably securely connecting to a site that requires SNI for the lay person.

[1] PyPI's problem is no SNI but that some clients don't support SAN certificates, but the error message is exactly the same.
History
Date User Action Args
2014-03-20 12:58:02dstufftsetrecipients: + dstufft, jcea, exarkun, ncoghlan, janssen, pitrou, mnot, giampaolo.rodola, scott.tsai, pdp, grooverdan, Dolf.Andringa, Dima.Tisnek, markk, sag47
2014-03-20 12:58:01dstufftsetmessageid: <1395320281.97.0.796326650203.issue5639@psf.upfronthosting.co.za>
2014-03-20 12:58:01dstufftlinkissue5639 messages
2014-03-20 12:58:01dstufftcreate