GothenburgBitFactory / taskwarrior

Taskwarrior - Command line Task Management
https://taskwarrior.org
MIT License
4.42k stars 301 forks source link

[TW-1885] Task Sync does not send TLS SNI headers #1898

Closed taskwarrior closed 6 years ago

taskwarrior commented 6 years ago

Dan Callahan on 2017-01-11T19:20:38Z says:

By default, encrypted traffic can only be routed by IP address. The SNI (Server Name Indication) extension to TLS makes it possible for proxies to route encrypted traffic based on hostnames, without needing to decrypt the traffic.

I have many domains behind a single IPv4 address. Without SNI, I have to listen (and respond!) on :53589 on all my domains. With SNI, I could only respond to :53589 on my taskd.* domain, or I could have multiple taskd instances behind the same IP, but at different domains.

In GNUTLS, the SNI header is set with gnutls_server_name_set.

Docs: https://www.gnutls.org/manual/html_node/Server-name-indication.html

Example from gnutls-cli: https://github.com/gnutls/gnutls/blob/8f4dcf8efe02096a782f24e202d5faed60ec94ce/src/cli.c#L697-L701

taskwarrior commented 6 years ago

Migrated metadata:

Created: 2017-01-11T19:20:38Z
Modified: 2017-02-18T22:25:15Z
taskwarrior commented 6 years ago

Paul Beckingham on 2017-02-11T18:57:05Z says:

Implemented in:

https://git.tasktools.org/projects/TM/repos/task/commits/39f8e7528e650ddd0a42648cbd89c2473281be96#src/TLSClient.cpp https://git.tasktools.org/projects/TM/repos/libshared/commits/fa02524c1e1136153ac56493156f1a97f3fe2d57#src/shared.h https://git.tasktools.org/projects/TM/repos/libshared/commits/6aa2b315c476bac3fdb7bf2bc259af55eee89f83

Dan, if you have a chance to scan that, I'd appreciate feedback. The IPv4/6 address detection is decent, but not complete in that it doesn't disallow certain address ranges. The SNI call matches the example you gave.

taskwarrior commented 6 years ago

Paul Beckingham on 2017-02-18T22:25:15Z says:

No response.

Code verified by Tomáš.