HttpClient don't send SSL server_name extension #23231
Comments
|
Is this on Windows or Linux? |
|
On windows 10. |
|
Please let us know the specific version of Windows 10. Please run 'CMD.EXE' window. And then type "ver". Let us know what the output is. Thx. I tried your repro on Windows 10 Version 1703 (Microsoft Windows [Version 10.0.15063]) against the "www.ebay.fr" server. But I see the SNI in WireShark:
|
|
Hi, You can find the project with test: using System;
using System.Net;
using System.Net.Http;
using System.Threading.Tasks;
namespace TestSSL
{
class Program
{
static void Main(string[] args)
{
string host = "www.google.fr";
IPHostEntry hostEntry;
hostEntry = Dns.GetHostEntry(host);
// Accept SSL
HttpClientHandler handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
// Http Client
HttpClient client = new HttpClient(handler);
client.BaseAddress = new Uri("https://" + hostEntry.AddressList[0].ToString());
client.DefaultRequestHeaders.UserAgent.ParseAdd("Mozilla/5.0 (compatible;" + DateTime.Now + " " + DateTime.Now.Millisecond + ")");
client.DefaultRequestHeaders.Host = host;
// Call web site with IP. Host is define with full domain name of web site
Task<HttpResponseMessage> task = client.GetAsync(client.BaseAddress);
task.Wait();
HttpResponseMessage response = task.Result;
}
}
}I test again today, server_name is not defined on Windows but also on Debian. Windows: Microsoft Windows [Version 10.0.15063] Regards [EDIT] Add full source from the zip file by @karelz |
|
Maybe I'm missing something here, but it looks like you're using an IP address in your URL:
We can't send SNI info if you use an IP address. Use the DNS name instead. |
|
No, like on framework .net, .net core should take host for SNI because you can have several host on same web server.
@karelz Do you fix it on 2.1 ? |
|
@zokiad the issue was closed as "invalid" per closing comment, so it was not fixed. I was able to reproduce the difference in behavior - .NET Core 2.0 does not send SNI in the repro above, while .NET Framework 4.7.1 does, reopening ... |
The behavior of HTTP stack on Windows (non-UWP) is handled by native Windows WinHTTP. I don't think WinHTTP will use the 'Host' header for SNI. It relies on the DNS name itself. We'll need to check into this. |
|
Triage: It is important scenario. Given the limited interest so far (1 customer) and complications (it may be WinHTTP limitation), we won't address it in 2.1. ManagedHandler should be able to handle that (and will eventually become the default), so let's keep it opened. |
|
I believe Stephen changed the managed handler to do this already. @stephentoub? |
|
|
OK, let's close it then. Eventually it will become default in .NET Core. Now it is opt-in. |
ghost
locked as resolved and limited conversation to collaborators
Hi,
The aim is to test a web farm. DNS is configured with one IP (behind there are several servers) and redirect to one web server.
To test one server in web farm, in framework 4.6.2, I use with sample code:
With framework 4.6.2, it is work fine.
But in .net core 2, with a test on IIS server web server, the connexion close when web client try to negociate SSL.
Here I use "ebay" server but it is work on it. I don't found a IIS server on web. My web farm is not access from web.
I debug the connection with WireShark to see the network data:
With .net core2
With Framework 4.6.2
📌 I think the issue is with .net core, the extension server_name is not defined. IIS server should need known the certificat to take.
.net core 2 should define server_name from client.DefaultRequestHeaders.Host or request.Headers.Host (even if BaseAddress is an IP) ?
For more information:
https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/
The text was updated successfully, but these errors were encountered: