:: Re: [devuan-dev] Introducing apt-pa…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Irrwahn
Date:  
À: devuan-dev
CC: onefang
Sujet: Re: [devuan-dev] Introducing apt-panopticon, my Devuan mirror checker script.
onefang wrote on 06.11.19 12:38:
[...]
> As mentioned, using URLs with IPs you need to send the "Host =
> example.com" with the request, so that the server looks at the Host
> header, and knows which domain to use, as well as which certificate to
> use. I recall that certain types of proxy or reverse proxy might do
> this sort of thing.

[...]
> I look forward to your more in-depth report.


At the point in time where the server comes to examining the "Host"
Header field to delegate the request to the correct vhost, the TSL
connection has already been established. This constitutes some sort
of chicken-and-egg problem on setups providing multiple vhosts with
separate SSL certificates.

As I understand it, wildcard certificates aside, (E)SNI is a (the)
way to overcome this limitation by basically mimicking the HTTP named
vhost behavior on the TLS connection layer in order to ensure the
correct certificate is picked during the negotiation phase for the
particular vhost a given request is directed at. Provided both client
and server support SNI, of course.

I found and got rid of a small quirk in our server configuration that,
with a hefty pat of imagination, _might_ have been a reason for SNI
to not work correctly in every single imaginable permutation of request
parameters. We will see in your future reports, if something has
changed.

However, regardless how this may turn out, in my opinion it is still
beyond the purpose of a mirror checker to test for host characteristics
that are neither advertised nor strictly required, as this will almost
inevitably lower the signal to noise ratio eventually. If, for whatever
reasons, we fail to resolve the issue on our mirror site, I would go
ahead and suggest adding a dedicated flag to the mirror list to indicate
that HTTPS requests are only valid when explicitly directed at the
advertised mirror FQDN, and consequently skip the test in question for
that particular host. Personally, I'd like to only see serious problems
indicated in the weekly digest mirror report, and not get sent chasing
ghosts once per week, if you get my drift. ;-)

The last paragraph is of course just my two cents worth of opinion.
Your mileage may vary, and ultimately it's your project.

HTH, best regards,

Urban

--
Sapere aude!