Implement SNI Fallback in TLS settings #8124
Conversation
This comment has been minimized.
This comment has been minimized.
|
Hello @akx, How does this differ from using the defaultCertificate for non-matching requests? (https://doc.traefik.io/traefik/https/tls/#default-certificate) |
Hi @dtomcej – as discussed in #2829 (comment) |
akx
force-pushed
the
sni-fallback
branch
2 times, most recently
from
80d6508
to
d511785
Compare
|
Hi, |
|
Rebased on |
jbdoumenjou
added
status/1-needs-design-review
and removed
status/0-needs-triage
labels
|
Rebased on @jbdoumenjou Is there anything I can do to move this forward? |
|
Hello @akx, Thanks for your contribution! This PR is labeled We will come back to you soon when we did the first design review iteration. |
|
@jbdoumenjou Hi there! Sorry to keep bothering you – how's the design review process coming along? I don't think this is a very large change architecturally, and it's really a last-chance fallback thing... |
|
Hi, would anyone know if/when this will be reviewed? I've encountered this issue a few times now and would be willing to offer help if required. |
|
@jbdoumenjou Any news? 🍂 I rebased this branch for your convenience. |
This implements an optional `sniFallback` field in TLS options. It can be used in conjunction with SNI-less requests and Let's Encrypt certificates, to blindly assume a request that has no other matching certificate to use a named one. Refs traefik#8123
|
Would love to see this pulled in too. Here is another request on community https://community.traefik.io/t/tls-options-for-snistrict-false-in-tcp-router/4626 I have a need for this to implement DNS over TLS since not even modern smartphones send SNI when doing DoT requests. Thanks @akx for your contribution. Any update from the @traefik team on this? It has been more than 8 months since this was raised! |
|
Hello @akx, While we definitely see the benefit of your changes to handle SNI-less requests, we were hesitant about the solution and we finally decided to decline the PR, and here's why: We acknowledge that what we already have (i.e. to let the default cert being selected when no cert matches the SNI) feels a bit uneasy, as it seems to go against the intent of the SNI concept. Which is exactly why we have the sniStrict option by the way. In that regard, we do not like the idea of going further in that "wrong" direction, i.e. to widen the pool of possible certs when SNI does not match. Which is why we'd rather go in a subtly different direction (to achieve a similar goal): we won't change the fact that we get the default cert when there is no SNI match, but we'll expand on the mechanisms that can (dynamically) generate the (unique) default cert. To that end, we've already started investigating a way to generate the default cert through Let's Encrypt, and we'll keep you posted on how that goes. |
Does this mean that if an HTTPS request comes in without SNI, a Let's Encrypt cert can be served? Also, is there a place we can track these changes? |
|
Hello @adyanth,
Yes, Traefik will still have the same behavior as of today, without an SNI value (and when option Since the feature would be to generate the default cert through Let's Encrypt, in that case, the default certificate served will be a Let's Encrypt certificate.
We will link the PR bringing the feature when it will be opened. |
|
@rtribotte Any news on the investigation for a replacement feature? I'd still have a need for this, approximately a year later from me originally opening this PR... |
What does this PR do?
This implements an optional
sniFallbackfield in TLS options, akin to what I requested in #8123.It can be used in conjunction with SNI-less requests and Let's Encrypt certificates, to blindly assume a request that has no other matching certificate to use a named one.
Motivation
Please see #8123.
More