IETF Logo Mail Archive

Re: [TLS] Server Name Indication (SNI) in an IPv6 world?

aerowolf@gmail.com Thu, 28 October 2010 17:31 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B95873A69B1 for <tls@core3.amsl.com>; Thu, 28 Oct 2010 10:31:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.867
X-Spam-Level:
X-Spam-Status: No, score=0.867 tagged_above=-999 required=5 tests=[AWL=1.714, BAYES_00=-2.599, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTIbn2Ov7sCt for <tls@core3.amsl.com>; Thu, 28 Oct 2010 10:31:55 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 80CE73A68EB for <tls@ietf.org>; Thu, 28 Oct 2010 10:31:54 -0700 (PDT)
Received: by gwb15 with SMTP id 15so1552902gwb.31 for <tls@ietf.org>; Thu, 28 Oct 2010 10:33:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:date:message-id :subject:mime-version:content-type; bh=min0SXe1FBXPy1ARnHU2mfauomD+ml5DTxNHB0DFsZQ=; b=XMwFlJj4U/V63CaGQf0Yl1/KwUQCPpbOKeImx24kyNsM5Bql+kVIAbxR09KQa7nJDx ARTmlOUFTC4EHi+Z2VlgIUOHqZM8uZtc0zH2stbp4+vIxXlNcUQ8lw2WXtDwO4VGur52 QjJSXO/xd81N8RW0NIy7WM6qGtFBRHcn+dkBc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:date:message-id:subject:mime-version:content-type; b=V4ugq1f0qSvGXxXDTdKwkFjjxJwzyxcEN11ibMISTGvuW09jXuQYqpiyi/A6hMVOoy nc02cAHRTOh5TtCIpsHAPE+7UEb5ugGm9LNvTGfS+Q5VMFgijC3V99D/83TeVZfhtxzk D3GfXihtIhGmreXByrewI59GkA0FPdYEfs4uE=
Received: by 10.42.171.66 with SMTP id i2mr3240500icz.230.1288287203879; Thu, 28 Oct 2010 10:33:23 -0700 (PDT)
Received: from [127.0.0.1] (c-71-202-74-146.hsd1.ca.comcast.net [71.202.74.146]) by mx.google.com with ESMTPS id z36sm706872vbw.17.2010.10.28.10.33.20 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Oct 2010 10:33:21 -0700 (PDT)
From: aerowolf@gmail.com
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Date: Thu, 28 Oct 2010 10:33:19 -0700
Message-ID: <gftwxp21sxvyvm0zxnJYNxe982v3j_gmsm@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="gmsm0.4.7eqgftwxt8p3a684p6ihu2"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 17:31:57 -0000


On Wed, Oct 27, 2010 at 10:22 AM, Steingruebl, Andy <asteingruebl@paypal-inc.com> wrote:
> Sorry, my point is that preventing DNS rebinding relies on client security in many 
> ways, but to make it happen a server also has to serve content for hostnames it 
> doesn't really serve content for.  With TLS this is hard(er) to make happen 
> because of certificate warnings.  For non-TLS, there aren't any indicators. 
> Servers should be configured to only serve data for their hostnames.  Or, so I'd 
> argue.

In my opinion, all servers should serve https, and any connections to http should be redirected to https on the same hostname and URI.  (Then again, that's what I do on my server.)

Apache can do <NameVirtualHost *:443> with a wildcard certificate.  This allows a wildcard or multi-SAN cert to be used, but it also has a different way it can be applied:

On my server, on the default :443, I put a "You're not supposed to be here" page, and then I do VirtualHosts for the names I want.

This allows me to handle the error at the application level, rather than at the server level (since my server hosts 6 sites across 3 IPs, and the look and feel of error handling is different between the applications).  This application-level verification works well for a certificate-requirement site, so that instead of a generic "handshake failure" message with no troubleshooting information, I can direct users to where they can get a cert.

It is worth noting that my site accepts any name in Host and doesn't use SNI.  It will not give useful access to any application unless the Host matches what it's supposed to, though.

-Kyle H

v2.23.0 | Report a Bug | By Email