|
|
|
|
|
|
by cniemira
3426 days ago
|
|
|
It's a good article, but it's a bit light on some of the technical points. We tried doing something similar about a decade ago (before the widespread adoption of SNI) and ran into the classic connected name/host header mismatch problem. Here, it's not explained that client has to have a way to suggest which certificate it's going to validate, and that there wasn't always an answer for that problem. Also curious to know more about their LB solution and how it scales. Encrypting everything isn't free if you're doing thousands of ECDH[E] handshakes per second to chase down that "A+" rating. |
|
|