On Fri, Aug 22, 2014 at 09:55:04PM +0000, Viktor Dukhovni wrote:
A deeper problem occurs when the HTTP URI includes a port:
http://example.com:8080/some/path
In that case, what would the https URI be? The approproach would
work at best for just for 80/443, and not anything else.
Indeed. Ideally START-TLS would just work (but it doesn't) and not cost
an extra round trip (but it does).
It might be the case that only TCPinc can save us here.
Alternatively we should take the extra latency and pin whether the
server supported START-TLS or not (if not, pin for a few hours, if yes
pin forever). Not that pinning is free, mind you.
Nico
--