cURL / Mailing Lists / curl-library / Single Mail


Re: Manual setting of TLS Server Name Indication

From: Peter Sylvester <>
Date: Mon, 09 Aug 2010 20:27:16 +0200

On 08/09/2010 03:27 PM, Daniel Stenberg wrote:
> On Mon, 9 Aug 2010, Matthieu Speder wrote:
> Please don't top-post!
>> Imagine one https server with a single dns name ( and you
>> are
>> not allowed to create a second entry.
> So you have a server that you can control and access the SNI field
> with, but you can't add a second entry in the DNS for the host? It
> seems awfully kludgey to then just invent a host name in the SNI to
> get a specific meaning like that.
> It struck me that an arguably nicer way to handle this would be to use
> the host name provided in a custom Host: header - something we
> actually already do for cookies.
One might argue that setting a Host header should not be an option for
the user, it should be derived from the URL.

At least, linking Host: to the SNI is correct according to the RFC
So if such a name is set it should go both to SNI and Host:

There may be an issue with proxies. The CONNECT would not have
the same hostname as the SNI. Some firewalls might filter this.

There is another possibility in the server: Like it is done in apache,
based on the directory portion of the url, one initiates a renego,
this is a slight performance pb and one has to correctly buffer
the request.

In the described case the goal is not a different
server cert but rather not to request a client cert.
Furthermore, a server can always request a cert, and then accept
a response without it and require basic auth then. One does
not need to distinguish very early.
If there is no matching client cert, a normal browser just doesn't
respond with one, one tolerates that and the server
asks for basic auth.


List admin:
Received on 2010-08-09