cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Manual setting of TLS Server Name Indication

From: Matthieu Speder <mspeder_at_users.sourceforge.net>
Date: Mon, 9 Aug 2010 14:17:51 +0200

Hi Peter,

Many thanks for your answer.
I totally agree that classical usage is to fill with FQDN.

Here is the example...

Imagine one https server with a single dns name (app.haxx.se) and you are
not allowed to create a second entry.
The server has to accept data POST from users.
Some of the users need to auth by basic login/pass and others using client
certificates.

The request of the client certificate must be initiated by the server during
TLS handshake.
So the server needs to know whether to require client cert at the very
beginning of the transaction.
The idea is to fill the SNI field with a hint for the server on which way to
handle the request (similar as when you have two virtual hosts on same http
server). RFC mentions the possibility for the server to use SNI to "guide
its selection of an appropriate certificate to return to the client, and/or
other aspects of security policy" which is exactly what I'm trying to
achieve here.

So in my example we can imagine :
- basic auth user sending to https://app.haxx.se, with SNI app.haxx.se
- users with certs still sending to https://app.haxx.se, but with another
SNI like for instance app-ssl.haxx.se

Using SNI is the simplest way I see to solve the issue (and it is working in
my environment). Of course other ideas are welcome.

Last point is that offering an extra option to have advanced control over
SNI in libcurl does not break anything anyway, provided of course default
behavior remains the same.

Matthieu
_________________

Date: Mon, 09 Aug 2010 11:20:01 +0200
From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
To: curl-library_at_cool.haxx.se
Subject: Re: Manual setting of TLS Server Name Indication
Message-ID: <4C5FC841.8000607_at_edelweb.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

By design of the protocol extension,
the SNI value is supposed to be derived from
the host portion of the URL in case it is not
an IP address, and it supposed to be an FQDN
that at least could be in the DNS (i.e. the owner
of the IP address has the authority).

gatewaying or proxying using SNI is not a goal
of this extension.

What do you mean multiple virtual hosts sharing
a single DNS entry?

Do you have a real life example?

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-08-09

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Saving HTTP request in variable before perform()"
Previous message: Guenter: "Re: Using Curl libcurl-7.19.3-win32-ssl-msvc.zip"
Next in thread: Peter Sylvester: "Re: Manual setting of TLS Server Name Indication"
Reply: Peter Sylvester: "Re: Manual setting of TLS Server Name Indication"
Reply: Daniel Stenberg: "Re: Manual setting of TLS Server Name Indication"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]