TLS (WIP)

You can use the same or different TLS certificates for each server. If using one for multiple servers, make sure that the hostnames for each server is provided in the SAN field. Note that misfin servers always use their own separate server certificate because they act as Certificate Authorities to their respective mailbox certificates.

SNI and ALPN

SNI is used to support virtual hosting. When a client doesn’t use SNI, the server will default to the certificate of the first added server on a bind address + port listener, unless a misfin server is provided on the listener, then the misfin server’s certificate is used.

Most clients do not currently use ALPN (Application-Layer Protocol Negotiation) within the smallnet, but SIS does provide a list of protocols to allow for ALPN when available. ALPN will allow the TLS connection to quickly and explicitly negotiate the desired protocol for the incoming request. ALPN values sent over in the list include “gemini”, “titan”, and “misfin”.

Since SNI and ALPN are sent in the initial handshake, they are not encrpted. If a user is worried about SNI and ALPN being used to censor or block protocols on networks, then Tor and other censorship-resistant protocols are recommended. SIS provides support for Tor connections.