On 11/11/2012 11:01 AM, Oscar Koeroo wrote:
> On 10-11-12 20:45, Kristian Fiskerstrand wrote:
>> My crawler use curl as the basis for the requests, and as I connect
>> using the hostname found in server-discovery, whereby I need it to be
>> valid for the purpose of a DNS Round Robin, it use the HTTP Host:
>> header matching the keyserver pool. The issue with vanilla curl, is
>> however, that there is no way to manually set the SNI hostname to use,
>> and it will default to the hostname of the request.
>
> Would a separate option not be more useful for explicit testing the SNI on
> a service which can state the hostname to be pushed via the TLS handshake?

I'm fine with both for my purposes, but using the Host: header fits in
nicely with the rest of the testing, so avoids setting yet another
option. An argument for such an approach would be for non-HTTP
transports, where there is no such header.

>
>
>> As such I have created a (very) crude patch that will use the Host
>> header presented instead. Based on a patch I found in the curl mailing
>> list archives[0, 1] and rebased it to the current 7.2x version (lastly
>> applied to 7.28).
>
> I had the impression the conn->host.name was used to set the "Host:"
> header. And in the patch I read that the "Host:" is dug up and set as the
> to-be-used SNI value where first the conn->host.name was used.
>
> Could you tell or point me how this interaction works? I'm confused
> because I thought it was the same string :-)
>

The Host: header can be explicitly set in the request using
curl_easy_setopt() with a CURLOPT_HEADER. This can differ from the
conn->host.name, e.g when (i) testing a specific server in a cluster
server using IP address (ii) as in my case, when wanting to test for
inclusion in a DNS RR Pool while connecting to a specific host.

The patch tests if such a Host: header is set in the request, and if it
is use this for the SNI, while if not it defaults to the original
conn->host.name.

PS! Seems I posted the link the the wrong archive post in one of my
earlier references, the correct one is
http://curl.haxx.se/mail/lib-2010-11/0021.html (see the attachment in
the post)

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Acta est fabula
So ends the story
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html