search

buffrr / letsdane

🔒 Let's DANE is an experimental way to enable the use of DANE/TLSA in browsers and other apps using a lightweight proxy.
Apache License 2.0
111 stars 11 forks source link

Only works when name not followed by a dot #2

Closed rithvikvibhu closed 3 years ago

rithvikvibhu commented 3 years ago

I've got letsdane working (it's great, thanks @buffrr!) and it normally works fine. But when the name has a trailing dot, it doesn't.

Not a major problem, was just curious why this happens. (https://google.com. redirects normally)

Without a trailing dot: image

With a trailing dot: image

The log: image

buffrr commented 3 years ago

Thank you for reporting this issue. The Server Name Indication (SNI) must not include a trailing dot per RFC 6066 Section 3. This is unfortunately an issue with the current way handshake TLDs are being used. So when using HTTPS you should remove it.

The behavior of the trailing dot in SNI varies you can try for example https://cloudflare.com. or https://buffrr.dev. without using any proxy and they will either fail in some browsers or show that the certificate is invalid because the name in the certificate does not include a trailing dot.

The Go standard TLS library follows RFC6066 and does not allow a trailing dot in SNI so unfortunately it's not possible to allow the usage of this (non-standard) behavior via letsdane

rithvikvibhu commented 3 years ago

Ah, good to know. Thanks again :)