> Em 5 de jul. de 2021, à(s) 09:30, Froehlich, Dominik
> escreveu:
>
> Here is my iteration of your solution:
>
> http-request set-var(txn.host) hdr(host),field(1,:)
> acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0
> http-request deny deny_status 421 if !ssl_sni_http_host_ma
Dominik,
On 7/5/21 2:30 PM, Froehlich, Dominik wrote:
I've played around with your solution a bit and I think I may have found two
issues with it:
- It doesn't check if the client uses SNI at all and it will deny the request
if no SNI is used
I always use 'strict-sni' on the bind line, so t
Hi Tim,
I've played around with your solution a bit and I think I may have found two
issues with it:
- It doesn't check if the client uses SNI at all and it will deny the request
if no SNI is used
- It fails if the client adds a port to the host header
So to my understanding, it is perfectly f
Dominik,
On 6/25/21 10:42 AM, Froehlich, Dominik wrote:
Your code sends a 421 if the SNI and host header don't match.
Is this the recommended behavior? The RFC is pretty thin here:
" Since it is possible for a client to present a different server_name
in the application protocol, applicat
Tim,
Thank you for your reply.
Your code sends a 421 if the SNI and host header don't match.
Is this the recommended behavior? The RFC is pretty thin here:
" Since it is possible for a client to present a different server_name
in the application protocol, application server implementations
On Thu, Jun 24, 2021 at 04:07:33PM +0200, Tim Düsterhus wrote:
> Julien,
>
> On 6/24/21 3:40 PM, Julien Pivotto wrote:
> > >use_backend bob if { hdr(host) -m dom bob.com }
> > >use_backend alice if { hdr(host) -m dom alice.com }
> >
> > Thanks for taking the time to write this report.
> >
Julien,
On 6/24/21 3:40 PM, Julien Pivotto wrote:
use_backend bob if { hdr(host) -m dom bob.com }
use_backend alice if { hdr(host) -m dom alice.com }
Thanks for taking the time to write this report.
SNI and host header are indeed different.
You should consider using req.ssl_sni instead
Dominik,
On 6/24/21 3:29 PM, Froehlich, Dominik wrote:
Not sure if you would call this a security issue, hence I am asking this on the
mailing list prior to opening a github issue:
This is also known as "Domain Fronting"
(https://en.wikipedia.org/wiki/Domain_fronting). It's not necessarily a
On 24 Jun 13:29, Froehlich, Dominik wrote:
> Hi,
>
> Not sure if you would call this a security issue, hence I am asking this on
> the mailing list prior to opening a github issue:
>
> I’ve noticed that it is really easy to bypass the check on client
> certificates of a domain when the client c
Hi,
Not sure if you would call this a security issue, hence I am asking this on the
mailing list prior to opening a github issue:
I’ve noticed that it is really easy to bypass the check on client certificates
of a domain when the client can present a valid certificate for another domain.
Consi
10 matches
Mail list logo
