cURL / Mailing Lists / curl-library / Single Mail

curl-library

RFE: SNI and HTTP Host Header

From: Kristian Fiskerstrand <kristian.fiskerstrand_at_sumptuouscapital.com>
Date: Sat, 10 Nov 2012 20:45:56 +0100

Hi,

Recently I added a HKPS pool to sks-keyservers.net, and in that process
I'm validating the SKS keyservers SSL/TLS certificates versus my own
Certificate Authority, so only servers with certificates signed by
myself are included. This ensure a subjectAltName for the appropriate
host, in order to avoid certificate failures. So far so good.

Some servers for various reasons need to have another certificate
installed signed by another authority. In order for this to be handled
properly, Server Name Indication is used to properly map the request
with the virtual host and the certificate to present to the client.

My crawler use curl as the basis for the requests, and as I connect
using the hostname found in server-discovery, whereby I need it to be
valid for the purpose of a DNS Round Robin, it use the HTTP Host: header
matching the keyserver pool. The issue with vanilla curl, is however,
that there is no way to manually set the SNI hostname to use, and it
will default to the hostname of the request.

As such I have created a (very) crude patch that will use the Host
header presented instead. Based on a patch I found in the curl mailing
list archives[0, 1] and rebased it to the current 7.2x version (lastly
applied to 7.28).

I'm including it here in case it is useful for anyone else, and to add
my request that the feature can hopefully be implemented in the
mainline. I say it is crude due to e.g. a verbatim copy of
copy_header_value() from http.c, as for my purpose I didn't want to make
too many changes to the overall curl, and simply exposing this in http.h
results in build errors.

Otherwise I'll keep maintaining my patchset locally.

Brgds,

[0] http://curl.haxx.se/mail/lib-2008-07/0300.html
[1] http://curl.haxx.se/mail/lib-2010-08/0166.html

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
"A government that robs Peter to pay Paul can always depend on the
support of Paul."
(George Bernard Shaw)
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2012-11-11