Re: [TLS] Requiring SNI for HTTPS
David Holmes <d.holmes@f5.com> Thu, 29 May 2014 05:33 UTC
Return-Path: <d.holmes@f5.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8351A075A for <tls@ietfa.amsl.com>; Wed, 28 May 2014 22:33:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Level:
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwX1H3eaBn6B for <tls@ietfa.amsl.com>; Wed, 28 May 2014 22:33:07 -0700 (PDT)
Received: from mail.f5.com (mail.f5.com [208.85.209.139]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55C811A030A for <tls@ietf.org>; Wed, 28 May 2014 22:33:07 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,830,1389744000"; d="scan'208";a="112331796"
X-IPAS-Result: AqQEADD7RVPAqArr/2dsb2JhbABZg0FXvEEdhzWBN3SCJQEBAQEDAQEBNw8lFwQCAQgNAQMEAQELFAkHJwsUCQgCBAESCBSHbcwQEwSOOzgGgx6BFASfWY53gis
Received: from unknown (HELO exchmail.f5net.com) ([192.168.10.235]) by seamgw02.olympus.f5net.com with ESMTP; 29 May 2014 05:33:04 +0000
Received: from SEAEMBX02.olympus.F5Net.com ([fe80::a5e3:d11c:e46a:e7c7]) by seaecas02.olympus.F5Net.com ([::1]) with mapi id 14.03.0181.006; Wed, 28 May 2014 22:33:03 -0700
From: David Holmes <d.holmes@f5.com>
To: Mark Nottingham <mnot@mnot.net>, TLS Mailing List <tls@ietf.org>
Thread-Topic: [TLS] Requiring SNI for HTTPS
Thread-Index: AQHPevRMgX9NK94NLUWDO5/1+ywN2JtXB++g
Date: Thu, 29 May 2014 05:33:02 +0000
Deferred-Delivery: Thu, 29 May 2014 05:33:00 +0000
Message-ID: <859F43324A6FEC448BFEA30C90405FA9048C30@SEAEMBX02.olympus.F5Net.com>
References: <B9A642C0-8535-4A92-B620-68BFDD9E2296@mnot.net>
In-Reply-To: <B9A642C0-8535-4A92-B620-68BFDD9E2296@mnot.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.16.250]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/W7xHd6svFCfcQIFNTDichYtps4Y
Subject: Re: [TLS] Requiring SNI for HTTPS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 May 2014 05:33:09 -0000
Do you have any visibility into what percentage of visitors are now getting blocked? Either because they don't have TLS or because they don't present SNI? Or both? -----Original Message----- From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Mark Nottingham Sent: Wednesday, May 28, 2014 9:13 PM To: TLS Mailing List Subject: [TLS] Requiring SNI for HTTPS Hey TLS WG, Recently, I migrated two of the Web sites that I host to TLS-only, using the same IP address (and thus using SNI). The details are here: https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing When doing so, I decided to require SNI, returning an error when it isn't presented. This seemed like the logical thing to do; after all, if the client doesn't present SNI, it might be presented with www.mnot.net's cert when the browser thinks it's going to redbot.org, and the user gets a cert error dialog. I don't want to contribute to training them to click through those... Anyway, a couple of questions for your collective wisdom. 1) For HTTPS, is it reasonable for rejecting SNI-less requests to be the default when the server actually uses SNI to dispatch to the correct origin? (This may be a better question for WEBSEC or elsewhere, but I thought I'd ask here first). Right now in Apache, you have to go pretty far out of your way to get this behaviour. 2) When rejecting an SNI-less request, Apache currently generates a 403 Forbidden. However, I actually suspect that a 400 Bad Request (or a new status code) would be more appropriate, since 400 is also used when Host isn't available, and this is directly analogous. See also the Apache bug I raised about this: <https://issues.apache.org/bugzilla/show_bug.cgi?id=56508>. In particular, I don't see how sites can reasonably start requiring SNI until server-side software makes it easier to serve an error document explaining what's happening to users that don't emit it. Any thoughts? Cheers, -- Mark Nottingham https://www.mnot.net/ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Requiring SNI for HTTPS Mark Nottingham
- Re: [TLS] Requiring SNI for HTTPS Yoav Nir
- Re: [TLS] Requiring SNI for HTTPS David Holmes
- Re: [TLS] Requiring SNI for HTTPS Mark Nottingham
- Re: [TLS] Requiring SNI for HTTPS Mark Nottingham