You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SNI servername not passed when tunneling via proxy
Simplest Example to Reproduce
Our TLS client uses the native node.js options.servername property to specify a SNI servername different than the FQDN of the destination web server. This allows the server to direct traffic and present the correct certificate based on the servername. But this breaks when an http proxy is used with the request library. We reproduced using squid as the http proxy.
The reason we cannot just set the FQDN to the servername is, the SNI servername is a special fabricated string that does not resolve to an IP address. It is used purely for routing on the server side.
Expected Behavior
The TLS connection to the destination server should succeed when specifying the correct servername and using a proxy.
Current Behavior
The TLS connection fails because the server presents the wrong certificate.
Possible Solution
This solution was verified to work. It involves patching 2 files:
Forward the request.servername property in constructTunnelOptions() in tunnel.js.
Summary
SNI servername not passed when tunneling via proxy
Simplest Example to Reproduce
Our TLS client uses the native node.js
options.servername
property to specify a SNI servername different than the FQDN of the destination web server. This allows the server to direct traffic and present the correct certificate based on the servername. But this breaks when an http proxy is used with the request library. We reproduced using squid as the http proxy.The reason we cannot just set the FQDN to the servername is, the SNI servername is a special fabricated string that does not resolve to an IP address. It is used purely for routing on the server side.
Expected Behavior
The TLS connection to the destination server should succeed when specifying the correct servername and using a proxy.
Current Behavior
The TLS connection fails because the server presents the wrong certificate.
Possible Solution
This solution was verified to work. It involves patching 2 files:
request.servername
property inconstructTunnelOptions()
intunnel.js
.{ servername: self.options.servername || options.host
Your Environment
The text was updated successfully, but these errors were encountered: