Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: pass (athena.apache.org: domain of ylavic.dev@gmail.com
 designates 209.85.223.175 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <52943239.9080607@velox.ch>
References: <20131125155541.66e19919@hub>
	<CAKQ1sVPv86nzsbCk4Cyz-CG2qkhi1ioJwiig-3yLXpUU+=68qg@mail.gmail.com>
	<52943239.9080607@velox.ch>
Date: Tue, 26 Nov 2013 09:29:44 +0100
Message-ID: 
 <CAKQ1sVNF=RV28cpD7YgET2zpNgpzB2B5tOya3PkL7-ABmqJ57g@mail.gmail.com>
Subject: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
From: Yann Ylavic <ylavic.dev@gmail.com>
To: dev@httpd.apache.org
Content-Type: multipart/alternative; boundary=e89a8ff24d9d5eb67204ec10484d

--e89a8ff24d9d5eb67204ec10484d
Content-Type: text/plain; charset=ISO-8859-1

On Tue, Nov 26, 2013 at 6:31 AM, Kaspar Brand <httpd-dev.2013@velox.ch>wrote:

> On 26.11.2013 00:46, Yann Ylavic wrote:
> >> Ideas for the appropriate patch to httpd?  Scope this fix to CONNECT
> >> requests alone, or all forward proxy requests?
> >>
> >>
> > Maybe all forward proxy modules are concerned.
> > There is PR
> > 55782
> >  which I started to debug but did not finish (run out of time).
> > From there it looked like ProxyPassPreserveHost may cause problems too
> > with SNI (not sure yet).
> >
> > Anyway, shouldn't the proxy code(s) use the Host header to fill in the
> SNI
> > from r->headers_in (when applicable), instead of r->hostname, at least
> for
> > the CONNECT and ProxyPassPreserveHost cases?
>
> AFAICT, this was the idea in the original patch for PR 53134, but a
> "slightly different approach" was then committed (r1333969).
>
> As far as PR 55782 is concerned, the problem might be that
> proxy_util.c:ap_proxy_determine_connection() does not take Host: header
> differences into account when checking if an existing connection can be
> reused (not sure). With SNI this would have the effect that the hostname
> from the TLS handshake is causing the mismatch with the Host: header.
>

ap_proxy_determine_connection() should only care about IP:port reuse,
which can be even if the Host has changed.

But indeed the Host is really what the origin server will use, so IMHO
this is the one to use for SNI in proxy_http_handler (should it differ from
r->hostname).

Another point is that SNI can not be an IP address according to the RFC
6066 :

3.  Server Name Indication
   [...]
   Literal IPv4 and IPv6 addresses are not permitted in "HostName".

and this is not specifically checked by mod_proxy before filling SNI.

Shouldn't the SNI be ommited when the Host is missing/empty or an IP
address too?


>
> Kaspar
>

--e89a8ff24d9d5eb67204ec10484d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On T=
ue, Nov 26, 2013 at 6:31 AM, Kaspar Brand <span dir=3D"ltr">&lt;<a href=3D"=
mailto:httpd-dev.2013@velox.ch" target=3D"_blank">httpd-dev.2013@velox.ch</=
a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex"><div class=3D"im">On 26.1=
1.2013 00:46, Yann Ylavic wrote:<br>
&gt;&gt; Ideas for the appropriate patch to httpd? =A0Scope this fix to CON=
NECT<br>
&gt;&gt; requests alone, or all forward proxy requests?<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt; Maybe all forward proxy modules are concerned.<br>
&gt; There is PR<br>
&gt; 55782<br>
&gt; =A0which I started to debug but did not finish (run out of time).<br>
&gt; From there it looked like ProxyPassPreserveHost may cause problems too=
<br>
&gt; with SNI (not sure yet).<br>
&gt;<br>
&gt; Anyway, shouldn&#39;t the proxy code(s) use the Host header to fill in=
 the SNI<br>
&gt; from r-&gt;headers_in (when applicable), instead of r-&gt;hostname, at=
 least for<br>
&gt; the CONNECT and ProxyPassPreserveHost cases?<br>
<br>
</div>AFAICT, this was the idea in the original patch for PR 53134, but a<b=
r>
&quot;slightly different approach&quot; was then committed (r1333969).<br>
<br>
As far as PR 55782 is concerned, the problem might be that<br>
proxy_util.c:ap_proxy_determine_connection() does not take Host: header<br>
differences into account when checking if an existing connection can be<br>
reused (not sure). With SNI this would have the effect that the hostname<br=
>
from the TLS handshake is causing the mismatch with the Host: header.<br></=
blockquote><div><br><div class=3D"gmail_default" style=3D"font-family:arial=
,helvetica,sans-serif">ap_proxy_determine_connection() should only care abo=
ut IP:port reuse, which can be even if the Host has changed.</div>
<br><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-=
serif;display:inline">But indeed the Host is really what the origin server =
will use, so IMHO this is the one to use for SNI in proxy_http_handler (sho=
uld it differ from r-&gt;hostname).<br>
<br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif;display:inline">Another point is that SNI can not be an IP addr=
ess according to the RFC 6066 :<br><pre>3.  Server Name Indication<br>=A0  =
[...]<br>
=A0  Literal IPv4 and IPv6 addresses are not permitted in &quot;HostName&qu=
ot;.
</pre>and this is not<span id=3D"result_box" class=3D"" lang=3D"en"><span c=
lass=3D""> specifically</span></span> checked by mod_proxy before filling S=
NI.<br><br>Shouldn&#39;t the SNI be ommited when the Host is missing/empty =
or an IP address too?<br>
</div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span class=3D""><font color=3D"#888888"><br>
Kaspar<br>
</font></span></blockquote></div><br></div></div>

--e89a8ff24d9d5eb67204ec10484d--