Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI servername not passed when tunneling via proxy #3387

Open
bcle opened this issue Aug 12, 2021 · 0 comments
Open

SNI servername not passed when tunneling via proxy #3387

bcle opened this issue Aug 12, 2021 · 0 comments

Comments

@bcle
Copy link

bcle commented Aug 12, 2021
edited

Summary

SNI servername not passed when tunneling via proxy

Simplest Example to Reproduce

Our TLS client uses the native node.js options.servername property to specify a SNI servername different than the FQDN of the destination web server. This allows the server to direct traffic and present the correct certificate based on the servername. But this breaks when an http proxy is used with the request library. We reproduced using squid as the http proxy.

The reason we cannot just set the FQDN to the servername is, the SNI servername is a special fabricated string that does not resolve to an IP address. It is used purely for routing on the server side.

Expected Behavior

The TLS connection to the destination server should succeed when specifying the correct servername and using a proxy.

Current Behavior

The TLS connection fails because the server presents the wrong certificate.

Possible Solution

This solution was verified to work. It involves patching 2 files:

Your Environment

software version
request 2.88.2
node 4.9.1, 6.17.1, 8.x
npm
Operating System CentOS 7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bcle