You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Stefan Eissing <st...@greenbytes.de> on 2018/04/11 09:48:37 UTC

SNI normalization?

Feedback desired:

Checking my server logs, I regularly see clients using SNI with port identifier, 
as in: test.example.org:443

I am not sure what client that is, but we do not identify the vhost that is
(probably) intended. Then the request comes in, and there we have magic that
finds the correct r->server. Then we mod_ssl sees that sslconn->server != r->server
and does some compatibility checks. If the base server and vhost have incompatible
settings (e.g. other certs/ciphers etc.), the request fails.

This seems to be wrong. Do we need the same normalization that we have in Host: header
parsing in SNI?

-Stefan

Re: SNI normalization?

Posted by Stefan Eissing <st...@greenbytes.de>.

Regarding this, I wrote the attached patch that adds a new method

AP_DECLARE(apr_status_t) ap_normalize_hostname(conn_rec *c, const char **phostname);

to http_vhost.h with some internal rewiring so that request_rec fix_hostname()
and this method have a common base.

Re: SNI normalization?

Posted by Yann Ylavic <yl...@gmail.com>.

ISTR that the RFC about SNI forbids port numbers (I find it
unfortunate as a matter of fact, given that host names may contain
ports...).
Just to say that normalization may come with ports handling/relaxing
in several places, which I support!

On Wed, Apr 11, 2018 at 11:52 AM, Plüm, Rüdiger, Vodafone Group
<ru...@vodafone.com> wrote:
> I guess this makes sense to avoid these kind of issues.
>
> Regards
>
> Rüdiger
>
>> -----Ursprüngliche Nachricht-----
>> Von: Stefan Eissing [mailto:stefan.eissing@greenbytes.de]
>> Gesendet: Mittwoch, 11. April 2018 11:49
>> An: dev@httpd.apache.org
>> Betreff: SNI normalization?
>>
>> Feedback desired:
>>
>> Checking my server logs, I regularly see clients using SNI with port
>> identifier,
>> as in: test.example.org:443
>>
>> I am not sure what client that is, but we do not identify the vhost that
>> is
>> (probably) intended. Then the request comes in, and there we have magic
>> that
>> finds the correct r->server. Then we mod_ssl sees that sslconn->server
>> != r->server
>> and does some compatibility checks. If the base server and vhost have
>> incompatible
>> settings (e.g. other certs/ciphers etc.), the request fails.
>>
>> This seems to be wrong. Do we need the same normalization that we have
>> in Host: header
>> parsing in SNI?
>>
>> -Stefan

AW: SNI normalization?

Posted by Plüm, Rüdiger, Vodafone Group <ru...@vodafone.com>.

I guess this makes sense to avoid these kind of issues.

Regards

Rüdiger

> -----Ursprüngliche Nachricht-----
> Von: Stefan Eissing [mailto:stefan.eissing@greenbytes.de]
> Gesendet: Mittwoch, 11. April 2018 11:49
> An: dev@httpd.apache.org
> Betreff: SNI normalization?
> 
> Feedback desired:
> 
> Checking my server logs, I regularly see clients using SNI with port
> identifier,
> as in: test.example.org:443
> 
> I am not sure what client that is, but we do not identify the vhost that
> is
> (probably) intended. Then the request comes in, and there we have magic
> that
> finds the correct r->server. Then we mod_ssl sees that sslconn->server
> != r->server
> and does some compatibility checks. If the base server and vhost have
> incompatible
> settings (e.g. other certs/ciphers etc.), the request fails.
> 
> This seems to be wrong. Do we need the same normalization that we have
> in Host: header
> parsing in SNI?
> 
> -Stefan