[olug] Help w/ my server

Kevin sharpestmarble at gmail.com
Mon Jul 23 22:17:27 UTC 2012


This is true. And one thing that is very highly regarded(and rightly
so) is KISS. But I do remember that some recent version of TLS
specifically permitted VirtualHosts using encryption. Because the
public certificate is sent before the connection is handed off to
HTTP, there had to be a way for the host to specify what host it was
connecting to, so the server would know what certificate to send.
IIRC, this ws enabled by TLS sending the server a hostname.

On Mon, Jul 23, 2012 at 5:08 PM, Christopher Cashell
<topher-olug at zyp.org> wrote:
> On Mon, Jul 23, 2012 at 4:51 PM, Kevin <sharpestmarble at gmail.com> wrote:
>> The Way Things Should Be: DNS would have another record, something
>> like PORT, which has a number and a text description. When an end user
>> goes to a site, the system does a lookup for that service along with
>> its lookup for the IP. Something like IP/port. You would get the
>> IP(127.0.0.1 back with the port that you should use(8080), and if the
>> port lookup fails, then you would use the service default(80). This
>> way you could get around port blocks. But I don't believe it works
>> this way; DNS was set up(IIRC) when firewalls were "allow and
>> selectively block" rather than the current "block and selectively
>> allow". This would also allow you to host multiple services of the
>> same type on a single physical host, thus allowing one IP to host
>> multiple secure websites(something that has only "somewhat recently"
>> come out with TLS 1.0(?).
>
> That would add a lot of additional complexity to all of DNS (along
> with most applicatons, which would then have to handle the additional
> logic) for a few select cases.  Most protocols already have well known
> port assignments, and most also support a method for specifying an
> alternate port.  Keeping DNS simple and separate (considering that the
> entire Internet is built on DNS, keeping it simple and reliable is a
> Very Good Thing) makes sense.  Additionally, remember that there are
> some protocols that don't use ports, or work in different ways.
>
> Regarding TLS/SSL, that has more to do with the TLS protocol and
> specification than with DNS.  TLS was designed to a be a complete
> wrapper around a different protocol.  Many (most?) protocols don't
> have a concept of a hostname like HTTP does.  Because TLS/SSL is
> protocol-agnostic, the client has no way of specifying what hostname
> it's looking for (that happens later, for HTTP).
>
> There are other protocols that work differently, such as LDAP (and
> SMTP, POP3/IMAP, XMPP, etc).  They work by first initiating a
> connection to the server, and then issuing a special command
> (StartTLS) to "upgrade" the connection to a secure connection.  This
> allows encrypted or unencrypted communication over the same port.
>
> --
> Christopher
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug



More information about the OLUG mailing list