Re: [TLS] Connection diversion to other subdomains

Matt McCutchen <> Mon, 01 November 2010 03:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B737E3A6860 for <>; Sun, 31 Oct 2010 20:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VJgaTh4S-UpJ for <>; Sun, 31 Oct 2010 20:42:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C14913A67A7 for <>; Sun, 31 Oct 2010 20:42:38 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id D01D83BC06A; Sun, 31 Oct 2010 20:42:38 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s=; b=JulmIpuwhmKfpjP5ezs+4BzfDZO35NtUFvFPrSKmlPF o/5bcOA6xE/5IwAiwuELq6DqEVugwwsqb4TVyUCEBcS4JaNcql3SzQPUL4Dxqijt N+s7rY1QwMLnEhaagwH6FzWxekNDJ7yjukhfwNRjzO//NS5N9+ALD0Y6Tg9c6fNE =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s=; bh=lXykAe5wbZ0pLV0Fpo7zSURPtVg=; b=ZnP2MYI/dP sD9pjwWhc6D23mYtYpox/OiO64LO11/MMxVqYhCMdf/ykh8XMDCPtcfN8OA5oLo2 5GtEDxxdc8tgAp8Lhz0dJA6e3UZDg8Jze63BMsgsxzFtcksWLwHsoIQ6nPGYdF1L QemMeiakNU+2+NUybgLmaAlfjU6RkcgW8=
Received: from [] ( []) (Authenticated sender: by (Postfix) with ESMTPA id 8D6993BC069; Sun, 31 Oct 2010 20:42:38 -0700 (PDT)
From: Matt McCutchen <>
In-Reply-To: <>
References: <>
Content-Type: text/plain; charset="UTF-8"
Date: Sun, 31 Oct 2010 23:42:32 -0400
Message-ID: <1288582952.6095.25.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Connection diversion to other subdomains
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Nov 2010 03:42:42 -0000

On Thu, 2010-10-28 at 21:20 -0700, wrote:
> On Wed, Oct 27, 2010 at 9:01 PM, Matt McCutchen <> wrote:
> [re SNI and Host header mismatch]
> > How can I get the message out to holders of wildcard certificates that
> > they should prevent this attack?
> First, what would your proposed remedy be?  What do you think the best
> behavior would be?  Where would you put whatever check you propose in
> the processing chain of the server?

If a web server gets a request over TLS with a Host header that doesn't
match any of the sites it is supposed to serve, it should return an HTTP
error instead of serving content from some "default" site.  Ideally, the
error should not convey false information about the real server (e.g.,
404 would be bad).  There's no error code that exactly fits the
situation; 400, 403, and 503 are decent.  Perhaps a new error code could
be allocated.

If the server gets a TLS connection with a bad server_name extension, it
would be even better to go ahead and fail the handshake with an
"unrecognized_name" error.  Apache mod_ssl currently is not capable of
doing this; I might enter an enhancement request.