On Wednesday 16 March 2016 11:59:04 Daniel Stenberg wrote: > On Wed, 16 Mar 2016, Tim Ruehsen wrote: > > Here is a patch for both openssl and gnutls. Please comment, I'll push it > > tomorrow. > > The bug report says the SNI field should be different than the Host: header, > but I question the sensibility in that. What would be the point? (pun not > intended =B)) > > When requesting contents from an HTTPS site, the SNI field will tell the > server which particular virtual server to get the data from and when the > trailing dot gets stripped the two strings with and without dot will end up > on the same virtual server. Sending a Host: header that doesn't match the > virtual server name then is then likely to either get ignored or to cause > the HTTP backend to complain. > > It will also make it behave a bit different for HTTP than for HTTPS since > then there's no SNI field and the Host: header is what will be used and > then they clearly are different servers. > > And incidentally, curl strips the trailing dot off from both SNI and Host: > =)
That is what I would like to do as well. It seems consistent. And the patch introduces non-elegant code (not really my favor). And for DNS lookups... is there a difference between dot and not-dot (e.g. example.com vs. example.com.) ? The patch follows Yst Dawson's conclusion, though: "That means that the SNI host name and HTTP Host header do not always match. The SNI host name must never have a trailing dot, but the HTTP Host header must reflect a host name that is identical to the host name of the URI, so if the URI's host has a trailing dot, the HTTP Host header must include that trailing dot." Also what Jay Satiro says: "I tried this in Firefox, Chrome and IE and all send the trailing dot for SNI." Should we follow the browsers or curl ? Tim
