Re: [Bug-wget] [bug #47408] Wget sends malformed SNI host names

[Tim Ruehsen]

On Wednesday 16 March 2016 11:59:04 Daniel Stenberg wrote:
> On Wed, 16 Mar 2016, Tim Ruehsen wrote:
> > Here is a patch for both openssl and gnutls. Please comment, I'll push it
> > tomorrow.
> 
> The bug report says the SNI field should be different than the Host: header,
> but I question the sensibility in that. What would be the point? (pun not
> intended =B))
> 
> When requesting contents from an HTTPS site, the SNI field will tell the
> server which particular virtual server to get the data from and when the
> trailing dot gets stripped the two strings with and without dot will end up
> on the same virtual server. Sending a Host: header that doesn't match the
> virtual server name then is then likely to either get ignored or to cause
> the HTTP backend to complain.
> 
> It will also make it behave a bit different for HTTP than for HTTPS since
> then there's no SNI field and the Host: header is what will be used and
> then they clearly are different servers.
> 
> And incidentally, curl strips the trailing dot off from both SNI and Host:
> =)

That is what I would like to do as well. It seems consistent. And the patch 
introduces non-elegant code (not really my favor).

And for DNS lookups... is there a difference between dot and not-dot (e.g. 
example.com vs. example.com.) ?

The patch follows Yst Dawson's conclusion, though:
"That means that the SNI host name and HTTP Host header do not always match.
The SNI host name must never have a trailing dot, but the HTTP Host header
must reflect a host name that is identical to the host name of the URI, so if
the URI's host has a trailing dot, the HTTP Host header must include that
trailing dot."

Also what Jay Satiro says:
"I tried this in Firefox, Chrome and IE and all send the trailing dot for 
SNI."

Should we follow the browsers or curl ?

Tim