[PATCH] SNI: better server name handling.

Piotr Sikora piotr at cloudflare.com
Wed Jul 24 02:27:32 UTC 2013


Hey Valentin,
sorry for the long delay.

> Nice catch, but I'm not happy with the solution.  With your patch, client
> will be acknowledged of acceptance even if the server name is not found.

Correct, that's the intended behavior.

> I believe such behavior isn't consistent with RFC 4366, and it prevents the
> client to know that specified virtual host doesn't exist on the server, which
> effectively makes it useless.

I actually disagree with that statement.

>From RFC 4366, 3.1. Server Name Indication:

   A server that receives a client hello containing the "server_name"
   extension MAY use the information contained in the extension to guide
   its selection of an appropriate certificate to return to the client,
   and/or other aspects of security policy.  In this event, the server
   SHALL include an extension of type "server_name" in the (extended)
   server hello.  The "extension_data" field of this extension SHALL be
   empty.

My interpretation of the above paragraph is that if "server_name" from
Client Hello is being used in the decision making process then server
should always acknowledge that fact by sending empty "server_name" in
Server Hello, regardless of whether or not the server name was found,
i.e. even if the server name wasn't found, we still used that
information to decide to serve the certificate from the default server
block.

...or do you disagree?

> Let me propose a better (from my point of view) patch at the end of my message.

Your patch is indeed better and should be committed, simply for the
sake of fixing ngx_http_find_virtual_server(). Just keep in mind that
it doesn't change behavior in case when server name wasn't found.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list