curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Support for custom SNI

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 25 Jun 2018 23:51:08 +0200 (CEST)

On Mon, 25 Jun 2018, Gaurav Malhotra wrote:

> We've configured the web server to select one of the available server
> certificates based on a SNI hint sent by the client during the TLS
> handshake. The problem we're facing is that libcurl does not currently allow
> the specification of a custom SNI independent of the server's host name. In
> the scenario I've described above, each client needs to use the same host
> name for CURLOPT_SSL_VERIFYHOST but a different SNI.

I would of course argue that you've departed from the HTTPS road when you did
this. Those specs say that the host name from the URL should be used in the
SNI field in the TLS handshake.

Most users would solve your problem by just creating a set of vhosts using
different names as then you'd avoid the SNI problem and they could all still
provide the same contents if that's what you want.

> Is there some way to achieve the desired result without changing libcurl?

I can't think of any. The host name from the URL will be used in the SNI field
pretty unconditionally as I recall it.

> Would it be useful to enhance libcurl to allow the specification of a
> custom SNI? If so, I'd be more than happy to work on a patch for curl and
> submit a pull request on github.

I'm sure it would find its users so I would not be against it. Such a feature
has been requested several times in the past, even if in most cases the
--resolve or --connect-to options have been able to solve the tasks for users.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-06-25