IETF Logo Mail Archive

Re: Question regarding HTTP/2, SNI, and IP addresses

Martin Thomson <mt@lowentropy.net> Tue, 22 June 2021 01:03 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398B73A2172 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Jun 2021 18:03:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.75
X-Spam-Level:
X-Spam-Status: No, score=-7.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=iDl/TJOz; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wiMPYjpw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xf50IRJu5K9D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Jun 2021 18:03:01 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C1163A2145 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 21 Jun 2021 18:03:00 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lvUkK-0000hg-Id for ietf-http-wg-dist@listhub.w3.org; Tue, 22 Jun 2021 00:58:41 +0000
Resent-Date: Tue, 22 Jun 2021 00:58:32 +0000
Resent-Message-Id: <E1lvUkK-0000hg-Id@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1lvUhl-0000cg-KU for ietf-http-wg@listhub.w3.org; Tue, 22 Jun 2021 00:56:04 +0000
Received: from out2-smtp.messagingengine.com ([66.111.4.26]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1lvUha-0001YP-IQ for ietf-http-wg@w3.org; Tue, 22 Jun 2021 00:55:46 +0000
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B19745C018F for <ietf-http-wg@w3.org>; Mon, 21 Jun 2021 20:55:29 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute4.internal (MEProxy); Mon, 21 Jun 2021 20:55:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=R/mJZXdh9D4v1zAAtLalaN5GDBmtaa+ cTSjep+yiMWo=; b=iDl/TJOz7zV/4aFvf7Khz0h8l4IoI6f09rEK+aOuuidYmS6 UtiiPYGBQdkAZ94VJBZ4F6IJOpvoLsefwqK1tRhB4PhvepUrmh05gchtOPjfdqtP XRUNT0Tj0ZjQEir7fBNmScYpCBBwEM6ks9DBVZ6NctlREONU5gEXdmqj5P0rKw7k Z1rEOlQKRDa9rt4/enuZDHC+E9tngc1dmMRYu+tbdPwWhvy72PxENtLitbwjPnkA H9Eu6BZfTzwv8frutPkm+91quKLsYhzuo0DS9gAQvkRn+GHsE3QUsHO53JRiHMms CXUlWkcG9UgTXrreVegF22nzlrK2cYr5veD/xEw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=R/mJZX dh9D4v1zAAtLalaN5GDBmtaa+cTSjep+yiMWo=; b=wiMPYjpwADfLpm1xdAksAV tT2QYSm8D4xIUdPF1AFH+psLsNqKftqAf1xFlp4iXfeqDfCZ6UaGLxLEZjMCq7nB bzAxUZjDKW2q7iSOecLeU/0oYWTR+koEc3z2oq8wGTPRPUmVTYfVB5tYTp9IsvP9 DALMxBg5v7NYd+wnr2nj8mG5ZLGHA+efSN4vY8sF8NXLnDLd/tCOLFWcBdtJQEoB 3j62aSQM6RWsUjSrsN/4UN9ied275UjXiJUIF37x8ZsgJSD7JEkxGEBLv+LZtoq4 ObvjP4ZYHBeqrLzZYzLhMPm9N6gWLgPQQMRYPVNq9fdme7Zw6ujybbA3r2VeGWbg ==
X-ME-Sender: <xms:ATXRYLDxKHcT4QS0x5mQIMMLkCrCka1K0i8iy-lgRWIDDGW35FgM7g> <xme:ATXRYBgkyTtdss9cYYEAWsO0dcBfrQsM0otmkcO975jXZxcwPJ4WVhlzJVI4TiU8K a9Bmhrx9AG_9bx19lI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeegtddggeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpedtleegiefgjeekudelke fgfffgvedukedutefgkeevvdfhudeihfevheehueffteenucffohhmrghinhephhhtthhp fihgrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:ATXRYGlGkjjq2IexS5PDWBvaq30yvClxPLn1UhDjcIdf08r1zKjHZA> <xmx:ATXRYNy8Ob1FnLPNP3NP4S_z3OBM8f1VXiG-pCj-j7Lm0HwHLsPcmQ> <xmx:ATXRYATWVpBQr1ZP91ulsAAqpkXkj5lO95yg_pDtYCMC2J8zCm41NA> <xmx:ATXRYHfiI5UUrHydbhAP_olf47fe7PL4Wv4ao9v9j7PeoWzpMkvDlQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6765B4E0095; Mon, 21 Jun 2021 20:55:29 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-530-gd0c265785f-fm-20210616.002-gd0c26578
Mime-Version: 1.0
Message-Id: <bc78d96e-d4dd-4a89-8937-165a2c9f86fa@www.fastmail.com>
In-Reply-To: <HE1PR0701MB30500174B18EDB6C2704D15B890D9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB30500174B18EDB6C2704D15B890D9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Date: Tue, 22 Jun 2021 10:55:08 +1000
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Content-Type: text/plain
Received-SPF: pass client-ip=66.111.4.26; envelope-from=mt@lowentropy.net; helo=out2-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=lowentropy.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1lvUha-0001YP-IQ 65a3917d1b0fa7dc0b48a3d63ac1c43c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Question regarding HTTP/2, SNI, and IP addresses
Archived-At: <https://www.w3.org/mid/bc78d96e-d4dd-4a89-8937-165a2c9f86fa@www.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38927
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Jun 18, 2021, at 22:30, John Mattsson wrote:
> Am I correct in my understanding that:
> 
>  * HTTP/2 (RFC 7540) requires support of sending the target domain name 
> in SNI for both TLS 1.2 and TLS 1.3.
>  * IP addresses cannot be sent in SNI.
>  * IP addresses are not domain names..
>  * Therefore, HTTP/2 with HTTPS requires domain names and cannot be 
> used with IP addresses only.

The revision says:

> The TLS implementation MUST support the Server Name Indication (SNI) [TLS-EXT] extension to TLS. If the server is identified by a domain name [DNS-TERMS], clients MUST send the server_name TLS extension unless an alternative mechanism to indicate the target host is used.

-- https://httpwg.org/http2-spec/draft-ietf-httpbis-http2bis.html#section-9.2-2

Is that clearer?  There is also similar updates to the HTTP core documents.

The intent was never to prohibit the use of IP addresses as authority.  That you might interpret the text that way is just an error.

v2.23.0 | Report a Bug | By Email