Closed taskwarrior closed 6 years ago
Migrated metadata:
Created: 2017-01-11T19:20:38Z
Modified: 2017-02-18T22:25:15Z
Paul Beckingham on 2017-02-11T18:57:05Z says:
Implemented in:
https://git.tasktools.org/projects/TM/repos/task/commits/39f8e7528e650ddd0a42648cbd89c2473281be96#src/TLSClient.cpp https://git.tasktools.org/projects/TM/repos/libshared/commits/fa02524c1e1136153ac56493156f1a97f3fe2d57#src/shared.h https://git.tasktools.org/projects/TM/repos/libshared/commits/6aa2b315c476bac3fdb7bf2bc259af55eee89f83
Dan, if you have a chance to scan that, I'd appreciate feedback. The IPv4/6 address detection is decent, but not complete in that it doesn't disallow certain address ranges. The SNI call matches the example you gave.
Paul Beckingham on 2017-02-18T22:25:15Z says:
No response.
Code verified by Tomáš.
Dan Callahan on 2017-01-11T19:20:38Z says:
By default, encrypted traffic can only be routed by IP address. The SNI (Server Name Indication) extension to TLS makes it possible for proxies to route encrypted traffic based on hostnames, without needing to decrypt the traffic.
I have many domains behind a single IPv4 address. Without SNI, I have to listen (and respond!) on :53589 on all my domains. With SNI, I could only respond to :53589 on my taskd.* domain, or I could have multiple taskd instances behind the same IP, but at different domains.
In GNUTLS, the SNI header is set with
gnutls_server_name_set
.Docs: https://www.gnutls.org/manual/html_node/Server-name-indication.html
Example from gnutls-cli: https://github.com/gnutls/gnutls/blob/8f4dcf8efe02096a782f24e202d5faed60ec94ce/src/cli.c#L697-L701