IETF Logo Mail Archive

Re: [TLS] Server Name Indication (SNI) in an IPv6 world?

"Steingruebl, Andy" <asteingruebl@paypal-inc.com> Wed, 27 October 2010 16:15 UTC

Return-Path: <asteingruebl@paypal-inc.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 537AF3A6962 for <tls@core3.amsl.com>; Wed, 27 Oct 2010 09:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.03
X-Spam-Level:
X-Spam-Status: No, score=-5.03 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCXKkE21ss9e for <tls@core3.amsl.com>; Wed, 27 Oct 2010 09:15:17 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by core3.amsl.com (Postfix) with ESMTP id 0ACBF3A693D for <tls@ietf.org>; Wed, 27 Oct 2010 09:15:15 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:Date: Subject:Thread-Topic:Thread-Index:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=GltZZtoP5r38KIbdLlt4wsVZE+4nwMKPUg+5M6kqogPHnAtnlkVQoh2M 3RTKjNMmjKnyhALuHDwKFz+FglsJBR0lzr+HQ4+rVKZGCEo/+7mUe95jh 7YdHJL8vaqgqK+j;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal-inc.com; i=asteingruebl@paypal-inc.com; q=dns/txt; s=ppinc; t=1288196226; x=1319732226; h=from:to:date:subject:message-id:references:in-reply-to: content-transfer-encoding:mime-version; z=From:=20"Steingruebl,=20Andy"=20<asteingruebl@paypal-inc .com>|To:=20Matt=20McCutchen=20<matt@mattmccutchen.net>, =20IETF=20TLS=20WG=20<tls@ietf.org>|Date:=20Wed,=2027=20O ct=202010=2010:17:04=20-0600|Subject:=20RE:=20[TLS]=20Ser ver=20Name=20Indication=20(SNI)=20in=20an=20IPv6=20world? |Message-ID:=20<5EE049BA3C6538409BBE6F1760F328ABEB01DE11F E@DEN-MEXMS-001.corp.ebay.com>|References:=20<4CC765D6.60 20704@KingsMountain.com>=0D=0A=09<1288145780.6053.50.came l@mattlaptop2.local>=0D=0A=20<1288147744.6053.51.camel@ma ttlaptop2.local>|In-Reply-To:=20<1288147744.6053.51.camel @mattlaptop2.local>|Content-Transfer-Encoding:=20quoted-p rintable|MIME-Version:=201.0; bh=OEVkSgmemcVeSOkt65PgO+Ki7JyTDYKnKIUPfuliihI=; b=H5Z2CZiHLRHz37tJMBLXEuAFnFy8lWD3hh3Koz0RvYLj7u40CaQrGZfg Nnsk87G/Qst2kc/JA/KDFRRbl5gnuPBdEOBQu6pR8Xg3gSd+xUjjkt7Tb NC43Rj2BJr5lPxk;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.58,246,1286175600"; d="scan'208";a="72732279"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-MEXHT-002.corp.ebay.com) ([10.101.112.213]) by den-mipot-001.corp.ebay.com with ESMTP; 27 Oct 2010 09:17:05 -0700
Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-002.corp.ebay.com ([10.241.17.53]) with mapi; Wed, 27 Oct 2010 10:17:05 -0600
From: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
To: Matt McCutchen <matt@mattmccutchen.net>, IETF TLS WG <tls@ietf.org>
Date: Wed, 27 Oct 2010 10:17:04 -0600
Thread-Topic: [TLS] Server Name Indication (SNI) in an IPv6 world?
Thread-Index: Act1gYjphzLyyFi3T9KuDF8nfzc4rgAcLc/A
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB01DE11FE@DEN-MEXMS-001.corp.ebay.com>
References: <4CC765D6.6020704@KingsMountain.com> <1288145780.6053.50.camel@mattlaptop2.local> <1288147744.6053.51.camel@mattlaptop2.local>
In-Reply-To: <1288147744.6053.51.camel@mattlaptop2.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: AW2ADcmybf6OpzDBq+mFzw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Subject: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 16:15:20 -0000

> -----Original Message-----
> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Matt
> McCutchen
> Sent: Tuesday, October 26, 2010 7:49 PM
> To: IETF TLS WG
> Subject: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
> 
> On Tue, 2010-10-26 at 22:16 -0400, Matt McCutchen wrote:
> > Incidentally, it looks like lists.fedoraproject.org does not check
> > either SNI or the HTTP Host header.  I made a connection and indicated
> > admin.fedoraproject.org in both places and it happily served me wrong
> > content.  I will file a ticket.
> 
> Has this kind of issue been discussed before?  I wonder if many other sites
> are affected.

On non-SSL hosts this gets a lot of play as web servers that don't pay attention to Host headers can become victims of DNS rebinding attacks.  So, only serving content you really intend to for given hostnames is a pretty good idea.

- Andy

v2.23.0 | Report a Bug | By Email