SNI Server Name Missing in ClientHello for Domain with Trailing Dot #6044
Comments
ikhoon
added a commit
to ikhoon/armeria
that referenced
this issue
Dec 23, 2024
Motivation: A trailing dot specified in an hostname can be used to make DNS queries to avoid using search domains. However, the trailing dot should be removed for SNI. https://datatracker.ietf.org/doc/html/rfc6066#section-3 > The hostname is represented as a byte string using ASCII encoding > without a trailing dot. Modifications: - Add `Endpoint.withTrailingDot()` to remove a trailing dot if exists. - Use an `Endpoint` without a trailing dot create an remote address which is used for SNI. Result: - Fixed a bug where a trailing dot was included in the hostname used by SNI. - Closes line#6044
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We noticed that when a request is made to a domain with a trailing dot, the SNI server name is not included in the ClientHello message.
Upon investigation, it seems the peerHost needs to be valid for the SNI server name to be generated in the SSL engine. However, the host passed in the pipeline configurator includes the trailing dot, making it invalid.
I came across #4875 that allows trailing dots, that may be related.
Code Ref:
https://github.com/netty/netty/blame/4.1/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java#L345
armeria/core/src/main/java/com/linecorp/armeria/client/HttpClientPipelineConfigurator.java
Lines 232 to 234 in 82a1f94
The text was updated successfully, but these errors were encountered: