-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpClient don't send SSL server_name extension #23231
Comments
Is this on Windows or Linux? |
On windows 10. |
Hi, You can find the project with test: using System;
using System.Net;
using System.Net.Http;
using System.Threading.Tasks;
namespace TestSSL
{
class Program
{
static void Main(string[] args)
{
string host = "www.google.fr";
IPHostEntry hostEntry;
hostEntry = Dns.GetHostEntry(host);
// Accept SSL
HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
// Http Client
HttpClient client = new HttpClient(handler);
client.BaseAddress = new Uri("https://" + hostEntry.AddressList[0].ToString());
client.DefaultRequestHeaders.UserAgent.ParseAdd("Mozilla/5.0 (compatible;" + DateTime.Now + " " + DateTime.Now.Millisecond + ")");
client.DefaultRequestHeaders.Host = host;
// Call web site with IP. Host is define with full domain name of web site
Task<HttpResponseMessage> task = client.GetAsync(client.BaseAddress);
task.Wait();
HttpResponseMessage response = task.Result;
}
}
} I test again today, server_name is not defined on Windows but also on Debian. Windows: Microsoft Windows [Version 10.0.15063] Regards [EDIT] Add full source from the zip file by @karelz |
Maybe I'm missing something here, but it looks like you're using an IP address in your URL:
We can't send SNI info if you use an IP address. Use the DNS name instead. |
No, like on framework .net, .net core should take host for SNI because you can have several host on same web server.
@karelz Do you fix it on 2.1 ? |
@zokiad the issue was closed as "invalid" per closing comment, so it was not fixed. I was able to reproduce the difference in behavior - .NET Core 2.0 does not send SNI in the repro above, while .NET Framework 4.7.1 does, reopening ... |
The behavior of HTTP stack on Windows (non-UWP) is handled by native Windows WinHTTP. I don't think WinHTTP will use the 'Host' header for SNI. It relies on the DNS name itself. We'll need to check into this. |
Triage: It is important scenario. Given the limited interest so far (1 customer) and complications (it may be WinHTTP limitation), we won't address it in 2.1. ManagedHandler should be able to handle that (and will eventually become the default), so let's keep it opened. |
I believe Stephen changed the managed handler to do this already. @stephentoub? |
|
OK, let's close it then. Eventually it will become default in .NET Core. Now it is opt-in. |
Hi,
The aim is to test a web farm. DNS is configured with one IP (behind there are several servers) and redirect to one web server.
To test one server in web farm, in framework 4.6.2, I use with sample code:
With framework 4.6.2, it is work fine.
But in .net core 2, with a test on IIS server web server, the connexion close when web client try to negociate SSL.
Here I use "ebay" server but it is work on it. I don't found a IIS server on web. My web farm is not access from web.
I debug the connection with WireShark to see the network data:
With .net core2
With Framework 4.6.2
📌 I think the issue is with .net core, the extension server_name is not defined. IIS server should need known the certificat to take.
.net core 2 should define server_name from client.DefaultRequestHeaders.Host or request.Headers.Host (even if BaseAddress is an IP) ?
For more information:
https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/
The text was updated successfully, but these errors were encountered: