Article delegate-en/4682 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4681@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Bad Request with SNI
01 Dec 2009 18:05:21 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hallo,

In message <035801ca72ab$21acd770$65068650$@rauh@genia-sec.de> on 12/02/09(02:24:25)
you "Bernhard Rauh" <pjejabdyi-6cvihqspebdr.ml@ml.delegate.org> wrote:
 |I'm using a delegate-proxy as a certificate-gateway:
 |
 |delegated SERVER=http -P9090 MOUNT="/* https://www.sslserver.de/*" 
 |        FSV="sslway -cert cert.pem -pass pass:password" 
 |        HTTPCONF="ver:1.0" \
 |        SSLTUNNEL=NEXTPROXY
 |
 |The connection with the destination-host fails with the message "Bad Request
 |- Your browser sent a request that this server could not understand."
 |
 |The following entries are in the log-file of the destination-host:
 |Hostname 1x.1x.9x.1x provided via SNI and hostname www.sslserver.de provided
 |via HTTP are different
 |
 |The destination-host is a Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8j
 |and SNI activated.
 |
 |The item hostname (1x.1x.9x.1x) is the entry in the client-browser. It
 |seems, that the delegate works not as a transparent proxy to connect with
 |his own address.

Thank you for your notice.  With TLSCONF=-vd option, I confirmed that
DeleGate sends the value of Host: field in HTTP request from a client.
For a while, the enclosed patch will be useful to escape the problem.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

*** dist/src/delegate9.9.6/filters/sslway.c	Tue Nov 17 16:28:00 2009
--- ./filters/sslway.c	Wed Dec  2 02:57:08 2009
***************
*** 1945,1951 ****
--- 1945,1956 ----
  }
  static void set_vhost(SSL *conSSL){
  	const char *vhost;
+ 	/*
  	if( vhost = getenv("SERVER_NAME") ){
+ 	*/
+ 	if( (vhost = getenv("SERVER_HOST")) /* destination host */
+ 	 || (vhost = getenv("SERVER_NAME")) /* incoming I.F. */
+ 	){
  		TRACE("-- TLSxSNI: send %s",vhost);
  		SSL_set_tlsext_host_name(conSSL,vhost);
  	}

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V