It would be good to allow configuring permissive SNI headers
See original GitHub issueExpected behavior
The user of netty can configure the ssl pipeline to both send and accept SNI headers that may not technically be legal. This is useful for proxies that want to specify not only the host, but also the port, eg foo.com:1234
.
Actual behavior
Setting a sni header with a :
blows up the netty pipeline.
JVM version (e.g. java -version
)
openjdk version “1.8.0_275”
OS version (e.g. uname -a
)
Darwin 20.6.0 Darwin Kernel Version 20.6.0
This is related to #11091.
cc @roanta.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
What is SNI? How TLS server name indication works
SNI, or Server Name Indication, is an extension for the TLS protocol to indicate a hostname in the TLS handshake. Learn more about...
Read more >sni.yaml — Apache Traffic Server 10.0.0 documentation
This file is used to configure aspects of TLS connection handling for both inbound and outbound connections. With the exception of host_sni_policy (see...
Read more >What is SNI (Server Name Indication)?
Server Name Indication (SNI) is an extension to the TLS protocol. It allows a client or browser to indicate which hostname it is...
Read more >2018.01.09 Issue with TLS-SNI-01 and Shared Hosting ...
The attacker can run an ACME client to get a TLS-SNI-01 challenge, then install their .acme.invalid certificate on the hosting provider.
Read more >Server Name Indication - The HTTPS-Only Standard
Server Name Indication, often abbreviated SNI, is an extension to TLS that allows multiple hostnames to be served over HTTPS from the same...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Drafted what a change for this might look like, we would appreciate any feedback. Thanks!
@normanmaurer, and receive, ideally in a way that allows you to use it but for the moment I’d settle for not having the certificate rejected as invalid.