IETF Logo Mail Archive

Re: SNI requirement for H2

Willy Tarreau <w@1wt.eu> Fri, 03 April 2015 20:30 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DB81A1A70 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 13:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWVvxmjyUjxr for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 13:30:54 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 263B41A1A64 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 3 Apr 2015 13:30:53 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ye8BC-0002EW-3j for ietf-http-wg-dist@listhub.w3.org; Fri, 03 Apr 2015 20:27:02 +0000
Resent-Date: Fri, 03 Apr 2015 20:27:02 +0000
Resent-Message-Id: <E1Ye8BC-0002EW-3j@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1Ye8B9-0002DQ-JP for ietf-http-wg@listhub.w3.org; Fri, 03 Apr 2015 20:26:59 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1Ye8B8-0000IZ-Ls for ietf-http-wg@w3.org; Fri, 03 Apr 2015 20:26:59 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t33KQWXn023359; Fri, 3 Apr 2015 22:26:32 +0200
Date: Fri, 03 Apr 2015 22:26:32 +0200
From: Willy Tarreau <w@1wt.eu>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Roberto Peon <grmocg@gmail.com>, Nicholas Hurley <hurley@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20150403202632.GQ15429@1wt.eu>
References: <CAGxKgz2-5OSwPGs=S_EVwPv-dYvPSO-H4YCiXX5wt-CxTxMVpg@mail.gmail.com> <CAP+FsNcGAJjRXpQPKOs9rLk-5=JYjj24=DxNHCAv+Mib5v+2GA@mail.gmail.com> <20150403192531.GP15429@1wt.eu> <CABkgnnU58=SubwGjQBoHu1E8yLq=iBOdfyYOtBXbFki4m1YZkg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnU58=SubwGjQBoHu1E8yLq=iBOdfyYOtBXbFki4m1YZkg@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-4.0
X-W3C-Hub-Spam-Report: AWL=-2.023, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Ye8B8-0000IZ-Ls 009bb10eb30af0b1297b4423f79359c6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: SNI requirement for H2
Archived-At: <http://www.w3.org/mid/20150403202632.GQ15429@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29241
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Martin,

On Fri, Apr 03, 2015 at 12:58:20PM -0700, Martin Thomson wrote:
> On 3 April 2015 at 12:25, Willy Tarreau <w@1wt.eu> wrote:
> > On Fri, Apr 03, 2015 at 12:06:36PM -0700, Roberto Peon wrote:
> >> Does anyone recall why 6066 has no SNI for IP literals? (It could be an
> >> empty SNI field or the SNI could indicate the IP literal)?
> >
> > I find it surprizing as well, given that NAT/reverse proxy is very common
> > in front of servers and that the address specified in the URL bar (hence in
> > the SNI if it were sent) would be authoritative and would not necessarily
> > match the one the server sees on the local socket.
> 
> I don't believe that anyone bothered to define it.  SNI was (and still
> largely is) designed to solve the virtual hosting problem.  Clearly
> you don't have that problem if you have an IP address.

You definitely can in fact eventhough that's not very common. I used to
work for a customer where all internal applications were referenced by
their IP address because for many years there was no DNS. And it's
perfectly valid to do virtual hosting with IP addresses as well, what
happens there is the following :


                 load balancer

                 +-------------+
     ----------> | 10.0.0.1:80 |
  clients        |             | ----------> 10.1.1.1:8000  (srv1)
     ----------> | 10.0.0.2:80 |
                 |             | ----------> 10.1.1.2:8000  (srv2)
     ----------> | 10.0.0.3:80 |
                 +-------------+

So the servers only see the "public" IP address in their host header
field (the 10.0.0.X ones) and route to the correct application thanks
to this.

I'm seeing well how that can be transposed to TLS using SNI. Maybe
the reason why it's not supported in this case is to avoid emitting
IP-based certs, I don't know. But the use case is valid even if rare,
and if there are workarounds (eg: declare hostnames in a DNS).

> As for using AUTH48, I think that all we need to do is add a "...if a
> domain name is used." clause or something like that

Yes, that would make sense to fix the issue reported by Nicholas.

> The problem with
> this is that it would require Specification Track Manager approval.

I trust you on this, I don't know the process :-)

Cheers,
Willy

v2.23.0 | Report a Bug | By Email