Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1533

WebSockets client fails to issue SNI extension when connecting via HTTP Proxy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.0.21.Final
    • 2.0.20.Final
    • Core
    • None
    • Hide

      Set up HTTP Proxy, let the WebSockets client use it. Connect via this proxy by means of TLS to a reverse proxy that handles multiple domain names. Watch the reverse proxy pick a wrong certificate.

      We have a “working” setup that fails: HA Proxy by default picks the “first” configured certificate.

      WebSockets client happily accepts this certificate (even if it does not match the requested domain, this is a different issue though in my opinion). However it is not the correct certificate.

      Show
      Set up HTTP Proxy, let the WebSockets client use it. Connect via this proxy by means of TLS to a reverse proxy that handles multiple domain names. Watch the reverse proxy pick a wrong certificate. We have a “working” setup that fails: HA Proxy by default picks the “first” configured certificate. WebSockets client happily accepts this certificate (even if it does not match the requested domain, this is a different issue though in my opinion). However it is not the correct certificate.

      When connecting with the WebSockets client via an HTTP Proxy server to a WebSockets server via SSL (TLS), the client does not include the SNI extension server_name indication.

      If the server that the client is connecting to is located behind a reverse proxy and the reverse proxy handles multiple servers via SNI, a wrong certificate may be selected (because the reverse proxy has no indication as to the specific target domain name).

      Picture:

      Client -> HTTP Proxy -> Reverse Proxy -> WebSockets server

              flaviarnn Flavia Rainone
              criege@riege.com Christian Riege (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: