Closed d47081 closed 1 month ago
Found this in logs:
replying to server #3
handshake: missing SNI
201:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:39532 GET 59 Wrong/malformed host or missing SNI
I've tried to add this option, but not helps, and SNI
related to the proxy, not local folder.
Here is my config also:
server "xxx:xxxx:xxxx:xxxx::xx" {
listen on xxx:xxxx:xxxx:xxxx::xx port 1965
cert "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/cert.pem"
key "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/key.rsa"
root "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/public"
index "index.gmi"
}
Without knowing how Yggdrasil works, I think the issue is that the client connecting to gmid is not providing any SNI (server name indication).
gmid relies on the client to use SNI to understand to which virtual host the client wants to talk to, and from my understanding IPv4 or IPv6 bare addresses can't be used as host names in TLS.
I'm not sure whether gmid should gracefully handle the omission of the SNI, as it's mandatory per the gemini specification. On the other hand, I see how this could be useful for some niche use-cases.
I guess that for your use-case with Yggdrasil you can't use an hostname?
Yggdrasil works like any IPv6 interface, but in 'death' 0200::/7
range (sometimes validators skipping this fake address)
Just interesting, does gmid support IPv6 in the names? If yes - it will support Yggdrasil also. If no - would be nice to have this option, because I won't to launch another server :)
Well, the gemini specification says that
Client and server implementations MUST support TLS SNI (Server Name Indication) and clients MUST include hostname information when making requests for URLs where the authority section is a hostname.
and I probably missed the "where the authority section is a hostname", which seems to imply that it's also OK to make requests without SNI if you want to talk to a bare IPv4 or IPv6 address.
At the moment gmid always require a SNI from the client, I'll see what can be done to relax this requirement.
Thanks!
I believe this is now fixed. I've relaxed the requirements for SNI in 1ef0cd0cdb6512fad96ecf0830e581af677d5947 and then added support for IPv6 addresses in the IRI parsing code in b00f71ba97cf4448446fc5ccf715ca0dfda3a93b, and added some tests.
I've tested this configuration
server "::1" {
listen on ::1 port 10965
cert "..."
key "..."
root "..."
}
and works for me. Don't wrap IPv6 addresses in braces [...]
in the server
and listen
directive.
I've tagged 2.0.3 which also includes this fix, so I'm closing this for now.
Thanks for the report!
I'm using Yggdrasil, and want to host capsule without regular domain name.
By defining in config IPv6, e.g.
server "[xxx:xxxx:xxxx:xxxx:xx]"
- get incomplete header error.With
/etc/hosts
it works using domain alias but with IP not