taskwarrior
commented
6 years ago Migrated metadata:
Created: 2017-01-11T19:20:38Z
Modified: 2017-02-18T22:25:15ZClosed taskwarrior closed 6 years ago
taskwarrior
commented
6 years ago Migrated metadata:
Created: 2017-01-11T19:20:38Z
Modified: 2017-02-18T22:25:15ZPaul Beckingham on 2017-02-11T18:57:05Z says:
Implemented in:
https://git.tasktools.org/projects/TM/repos/task/commits/39f8e7528e650ddd0a42648cbd89c2473281be96#src/TLSClient.cpp https://git.tasktools.org/projects/TM/repos/libshared/commits/fa02524c1e1136153ac56493156f1a97f3fe2d57#src/shared.h https://git.tasktools.org/projects/TM/repos/libshared/commits/6aa2b315c476bac3fdb7bf2bc259af55eee89f83
Dan, if you have a chance to scan that, I'd appreciate feedback. The IPv4/6 address detection is decent, but not complete in that it doesn't disallow certain address ranges. The SNI call matches the example you gave.
taskwarrior
commented
6 years ago Paul Beckingham on 2017-02-18T22:25:15Z says:
No response.
Code verified by Tomáš.
Dan Callahan on 2017-01-11T19:20:38Z says:
By default, encrypted traffic can only be routed by IP address. The SNI (Server Name Indication) extension to TLS makes it possible for proxies to route encrypted traffic based on hostnames, without needing to decrypt the traffic.
I have many domains behind a single IPv4 address. Without SNI, I have to listen (and respond!) on :53589 on all my domains. With SNI, I could only respond to :53589 on my taskd.* domain, or I could have multiple taskd instances behind the same IP, but at different domains.
In GNUTLS, the SNI header is set with
gnutls_server_name_set.Docs: https://www.gnutls.org/manual/html_node/Server-name-indication.html
Example from gnutls-cli: https://github.com/gnutls/gnutls/blob/8f4dcf8efe02096a782f24e202d5faed60ec94ce/src/cli.c#L697-L701