Oops, I sent this to a personal email address instead of the mailing list. Forwarding to the mailing list. -------- plusendita mesaĝo -------- De: y.st. <[email protected]> Al: Tim Ruehsen <[email protected]> Temo: Re: [Bug-wget] [bug #47408] Wget sends malformed SNI host names Dato: Wed, 16 Mar 2016 09:18:13 -0700
I noticed the problem in both Firefox and Chrome, and the bug has been reported in both, as well as in several other Web browsers. As for cURL, I also saw that error, but I haven't had time to report it yet. I'll probably report it today. In any case, I'd recommend not following either. Instead, it seems like a better idea to follow the RFCs. On mer, 2016-03-16 at 12:46 +0100, Tim Ruehsen wrote: > On Wednesday 16 March 2016 11:59:04 Daniel Stenberg wrote: > > On Wed, 16 Mar 2016, Tim Ruehsen wrote: > > > Here is a patch for both openssl and gnutls. Please comment, I'll push it > > > tomorrow. > > > > The bug report says the SNI field should be different than the Host: header, > > but I question the sensibility in that. What would be the point? (pun not > > intended =B)) > > > > When requesting contents from an HTTPS site, the SNI field will tell the > > server which particular virtual server to get the data from and when the > > trailing dot gets stripped the two strings with and without dot will end up > > on the same virtual server. Sending a Host: header that doesn't match the > > virtual server name then is then likely to either get ignored or to cause > > the HTTP backend to complain. > > > > It will also make it behave a bit different for HTTP than for HTTPS since > > then there's no SNI field and the Host: header is what will be used and > > then they clearly are different servers. > > > > And incidentally, curl strips the trailing dot off from both SNI and Host: > > =) > > That is what I would like to do as well. It seems consistent. And the patch > introduces non-elegant code (not really my favor). > > And for DNS lookups... is there a difference between dot and not-dot (e.g. > example.com vs. example.com.) ? > > The patch follows Yst Dawson's conclusion, though: > "That means that the SNI host name and HTTP Host header do not always match. > The SNI host name must never have a trailing dot, but the HTTP Host header > must reflect a host name that is identical to the host name of the URI, so if > the URI's host has a trailing dot, the HTTP Host header must include that > trailing dot." > > Also what Jay Satiro says: > "I tried this in Firefox, Chrome and IE and all send the trailing dot for > SNI." > > Should we follow the browsers or curl ? > > Tim > -- My PGP key ID is 0xE7464A03 and my fingerprint is D135 B061 DBED 690B 479F E2E3 7D83 E1E5 E746 4A03 I encrypt if I have your key, I sign on request. I only accept signing requests on encrypted mail. -- My PGP key ID is 0xE7464A03 and my fingerprint is D135 B061 DBED 690B 479F E2E3 7D83 E1E5 E746 4A03 I encrypt if I have your key, I sign on request. I only accept signing requests on encrypted mail.
