heiko/cert-proxy
1
0
Fork 0
Code Issues 5 Pull requests Releases 1 Activity

use FQDN for servername (SNI) #4

New issue
Closed
opened 2021-09-10 11:53:48 +02:00 by heiko · 0 comments
heiko commented 2021-09-10 11:53:48 +02:00
Owner
Copy link

It seems that there is at least one MITM proxy (Sophos) that tries to use the SNI as an indication where to forward the connection to. So we should use a FQDN SNI.

Currently we use "cert-proxy" as the default. This can easily be overwritten with the -servername <FQDN> option, but OTOH, the server needs to have a certificate that uses that FQDN.

  • the CA should provide a flag to include the FQDN in the SAN, or to use the FQDN as the CN, having a SAN of the FQDN and additional short names, if necessary.

  • the client should use the name from the connect URL as the SNI, except overridden by the -servername option

It seems that there is at least one MITM proxy (Sophos) that tries to use the SNI as an indication where to forward the connection to. So we should use a FQDN SNI. Currently we use "cert-proxy" as the default. This can easily be overwritten with the `-servername <FQDN>` option, but OTOH, the server needs to have a certificate that uses that FQDN. - [ ] the CA should provide a flag to include the FQDN in the SAN, or to use the FQDN as the CN, having a SAN of the FQDN and additional short names, if necessary. - [ ] the client should use the name from the connect URL as the SNI, except overridden by the `-servername` option
heiko self-assigned this 2021-09-10 11:53:48 +02:00
heiko added this to the release 1.17 milestone 2021-09-10 11:55:30 +02:00
heiko stopped working 2021-09-28 14:24:44 +02:00
28h 1min 21s
heiko closed this issue 2022-03-18 20:42:44 +01:00
Sign in to join this conversation.
master
Branches Tags
Clear current reference
master
debian/bullseye
ci
debian/sid
heiko/dev
fqdn-cn
debian/buster
Clear current reference
v1.18.2
1.18.1
1.18.0
1.17
debian/1.17-0
debian/1.17_RC0-1
1.17-RC0
1.16-RC1
debian/1.16-RC0-0
1.16-RC0
debian/1.15.3-2
debian/1.15.3-1
1.15.3
1.15.2
debian/1.15.1-2
debian/1.15.1-1
1.15.1
1.15
debian/1.14.1-2
debian/1.14.1-1
1.14.1
1.14
debian/1.13-1
1.13
debian/1.12-2
1.12
1.11
debian/1.10.2-2
debian/1.10.2-1
1.10.2
debian/1.10.1-1
1.10.1
1.10
debian/1.9-2
debian/1.9-1
1.9
debian/1.8-3
debian/1.8-2
debian/1.8-1
1.8
debian/1.7.1-1
1.7.1
debian/1.7-1
1.7
debian/1.6-1
1.6
debian/1.5-4
debian/1.5-3
debian/1.5-2
debian/1.5-1
1.5
1.4
1.3.1
debian/1.3-4
debian/1.3-3
debian/1.3-2
debian/1.3-1
debian/1.3-0
1.3
1.2
1.1
1.0
0.5
0.4
0.3
0.2
0.1
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
release 1.17
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
heiko
1 participant
Notifications
Total time spent: 1 day 4 hours
heiko
1 day 4 hours
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
heiko/cert-proxy#4
No description provided.