[ruby-core:89305] [Ruby trunk Feature#15215] HTTPS server name indication (SNI): explicit server_name in Net::HTTP

[ruby-core:89305] [Ruby trunk Feature#15215] HTTPS server name indication (SNI): explicit server_name in Net::HTTP

[ruby-bugs]

Issue #15215 has been reported by aspettl (Aaron Spettl).

----------------------------------------
Feature #15215: HTTPS server name indication (SNI): explicit server_name in Net::HTTP
https://bugs.ruby-lang.org/issues/15215

* Author: aspettl (Aaron Spettl)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
**Current behavior and problem:**
At the moment, the host name or IP address given in the URL is used to provide the server name for SNI in HTTPS connections. While this behavior is sufficient in most cases, establishing a connection to a fixed IP using a certain server name is not possible.

**Proposed solution:**
Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same).

**Notes**
* There are scenarios where a client would like to select a specific host when e.g. DNS round robin is configured. Examples: fallback strategies, monitoring of individual hosts.
* This has nothing to do with the HTTP "Host" header, which one needs to set additionally.

For my "proposed solution", a patch is attached (or see https://github.com/ruby/ruby/pull/1977).
Please let me know about any ideas for improvement or other approaches, thanks!

---Files--------------------------------
ssl_server_name.patch (2.17 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:89307] [Ruby trunk Feature#15215] HTTPS server name indication (SNI): explicit server_name in Net::HTTP

[ruby-bugs]

Issue #15215 has been updated by aspettl (Aaron Spettl).


aspettl (Aaron Spettl) wrote:
> **Proposed solution:**
> Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same).

One comment on a corner case:
When ssl_server_name is set, then it is always used for verifying the certificate - even when OpenSSL is old and does not support SNI yet. In such a case, the certificate presented by the server will not match probably (and, thus, verification fails). I think this is desired behavior.

----------------------------------------
Feature #15215: HTTPS server name indication (SNI): explicit server_name in Net::HTTP
https://bugs.ruby-lang.org/issues/15215#change-74335

* Author: aspettl (Aaron Spettl)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
**Current behavior and problem:**
At the moment, the host name or IP address given in the URL is used to provide the server name for SNI in HTTPS connections. While this behavior is sufficient in most cases, establishing a connection to a fixed IP using a certain server name is not possible.

**Proposed solution:**
Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same).

**Notes**
* There are scenarios where a client would like to select a specific host when e.g. DNS round robin is configured. Examples: fallback strategies, monitoring of individual hosts.
* This has nothing to do with the HTTP "Host" header, which one needs to set additionally.

For my "proposed solution", a patch is attached (or see https://github.com/ruby/ruby/pull/1977).
Please let me know about any ideas for improvement or other approaches, thanks!

---Files--------------------------------
ssl_server_name.patch (2.17 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:90572] [Ruby trunk Feature#15215] HTTPS server name indication (SNI): explicit server_name in Net::HTTP

[ruby-bugs]

Issue #15215 has been updated by aspettl (Aaron Spettl).


I still like to have this feature. Any opinion on this? Especially @naruse as a maintainer of lib/net/http(s).rb?

Thanks!

----------------------------------------
Feature #15215: HTTPS server name indication (SNI): explicit server_name in Net::HTTP
https://bugs.ruby-lang.org/issues/15215#change-75725

* Author: aspettl (Aaron Spettl)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
**Current behavior and problem:**
At the moment, the host name or IP address given in the URL is used to provide the server name for SNI in HTTPS connections. While this behavior is sufficient in most cases, establishing a connection to a fixed IP using a certain server name is not possible.

**Proposed solution:**
Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same).

**Notes**
* There are scenarios where a client would like to select a specific host when e.g. DNS round robin is configured. Examples: fallback strategies, monitoring of individual hosts.
* This has nothing to do with the HTTP "Host" header, which one needs to set additionally.

For my "proposed solution", a patch is attached (or see https://github.com/ruby/ruby/pull/1977).
Please let me know about any ideas for improvement or other approaches, thanks!

---Files--------------------------------
ssl_server_name.patch (2.17 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:94421] [Ruby master Feature#15215] HTTPS server name indication (SNI): explicit server_name in Net::HTTP

[not.waf]

Issue #15215 has been updated by waf (felix wong).


aspettl (Aaron Spettl) wrote:
> I still like to have this feature. Any opinion on this? Especially @naruse as a maintainer of lib/net/http(s).rb?
> 
> Thanks!

+1 as well

----------------------------------------
Feature #15215: HTTPS server name indication (SNI): explicit server_name in Net::HTTP
https://bugs.ruby-lang.org/issues/15215#change-80842

* Author: aspettl (Aaron Spettl)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
**Current behavior and problem:**
At the moment, the host name or IP address given in the URL is used to provide the server name for SNI in HTTPS connections. While this behavior is sufficient in most cases, establishing a connection to a fixed IP using a certain server name is not possible.

**Proposed solution:**
Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same).

**Notes**
* There are scenarios where a client would like to select a specific host when e.g. DNS round robin is configured. Examples: fallback strategies, monitoring of individual hosts.
* This has nothing to do with the HTTP "Host" header, which one needs to set additionally.

For my "proposed solution", a patch is attached (or see https://github.com/ruby/ruby/pull/1977).
Please let me know about any ideas for improvement or other approaches, thanks!

---Files--------------------------------
ssl_server_name.patch (2.17 KB)


-- 
https://bugs.ruby-lang.org/

[ruby-core:96157] [Ruby master Feature#15215] HTTPS server name indication (SNI): explicit server_name in Net::HTTP

[naruse]

Issue #15215 has been updated by naruse (Yui NARUSE).


Duplicated with #5180.
Since there're 3 layers:
* host address for TCP/IP
* TLS server name
* HTTP Host header

In this use case, I think you wan to set different value for IP layer.
If you forget to change HTTP Host header, it will cause unexpected result if the server uses VirtualHost.

I understand this ticket and related GitHub PRs as +1 for #5180, and I reopen it and commit.

----------------------------------------
Feature #15215: HTTPS server name indication (SNI): explicit server_name in Net::HTTP
https://bugs.ruby-lang.org/issues/15215#change-83033

* Author: aspettl (Aaron Spettl)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
**Current behavior and problem:**
At the moment, the host name or IP address given in the URL is used to provide the server name for SNI in HTTPS connections. While this behavior is sufficient in most cases, establishing a connection to a fixed IP using a certain server name is not possible.

**Proposed solution:**
Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same).

**Notes**
* There are scenarios where a client would like to select a specific host when e.g. DNS round robin is configured. Examples: fallback strategies, monitoring of individual hosts.
* This has nothing to do with the HTTP "Host" header, which one needs to set additionally.

For my "proposed solution", a patch is attached (or see https://github.com/ruby/ruby/pull/1977).
Please let me know about any ideas for improvement or other approaches, thanks!

---Files--------------------------------
ssl_server_name.patch (2.17 KB)


-- 
https://bugs.ruby-lang.org/