I agree with Christian and Donald (unsurprisingly).

The key thing to note is that we can extend this API as time goes on and we get a better understanding of what's happening. And any application that is doing hot TLS config changes is likely not going to be agnostic to the concrete TLS implementation it uses anyway, given that many implementations won't be sensibly able to do it.

I'm not even sure about the specific API we're using for SNI: I might just want to restrict it to emitting new certificates.

Cory

On 12 Jan 2017, at 19:29, Donald Stufft <donald@stufft.io> wrote:


On Jan 12, 2017, at 2:13 PM, Christian Heimes <christian@cheimes.de> wrote:

Let's keep it simple. We can always define an enhanced superset of the
TLS ABC later. But we cannot remove features or change API in an
incompatible way later.


I think the server side stuff makes sense, it’ll be important for projects like Twisted and such and isn’t really *that* much more effort. Getting too lost in the weeds over advanced features like hot-config-reload I agree is a bad use of resources.


Donald Stufft