© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
> So this means the servers that require SNI when using TLSv1.3 can not (any longer?) be accessed by their direct ip address, their hostname *must* be used.
SNI, per RFC 6066 is not allowed for IP addresses, so servers couldn't require it (this is not new in TLSv1.3):
"Literal IPv4 and IPv6 addresses are not permitted in "HostName"."
The change in TLSv1.3 is that servers *may* now require SNI, and Google chose to do so for GMail's IMAP servers.
It's still possible to connect to IP addresses using TLSv1.3, the server just can't mandate SNI, but that's not a regression per se.
Either way, SNI is useless for an IP address - the client is already connecting to a literal IP address, so the server could, if desired, return a matching certificate without having to resort to "HostName", and that hasn't changed.