summaryrefslogtreecommitdiff
path: root/posts/curl-and-the-tls-sni-extension.rst
diff options
context:
space:
mode:
authorOlivier Gayot <og@satcom1.com>2016-08-01 15:32:22 +0200
committerOlivier Gayot <og@satcom1.com>2016-08-01 15:32:22 +0200
commit828c85cadee033c1a44b83d415c016b26493e6c3 (patch)
treecd54f7714e77e02232ad6f2420c49ebb572c94de /posts/curl-and-the-tls-sni-extension.rst
parent74749fccd69770ae603daa033a005304e90f51d6 (diff)
fixed typos and indentation.
Signed-off-by: Olivier Gayot <og@satcom1.com>
Diffstat (limited to 'posts/curl-and-the-tls-sni-extension.rst')
-rw-r--r--posts/curl-and-the-tls-sni-extension.rst53
1 files changed, 27 insertions, 26 deletions
diff --git a/posts/curl-and-the-tls-sni-extension.rst b/posts/curl-and-the-tls-sni-extension.rst
index 6bea31a..39d3f35 100644
--- a/posts/curl-and-the-tls-sni-extension.rst
+++ b/posts/curl-and-the-tls-sni-extension.rst
@@ -86,7 +86,7 @@ Let's try that out with HTTP::
$ curl http://176.31.99.217
default
-The default server is served because 172.31.99.217 does not match any
+The default website is served because 172.31.99.217 does not match any
virtualhost *server_name* directive::
$ curl http://vhost1.example.org
@@ -112,7 +112,7 @@ We are offered (at least) two possibilities:
vhost2
* specifying the **Host** header manually using the option **-H** of cURL. This
- is the recommended way in most cases.
+ is my favorite way in most cases.
Example::
$ curl http://176.31.99.217 -H 'Host: vhost1.example.org'
@@ -150,8 +150,8 @@ certificate, but it is not valid for *176.31.99.217*, only *example.org*.
This is a normal behaviour. We can solve this issue by creating a certificate
valid for *example.org* and *176.31.99.217* for example.
-But what about requesting our virtualhosts ? Well, pretty much the same as
-before (unless you didn't clear your */etc/hosts* file.::
+But what about requesting our virtualhosts ? Well, pretty much the same happens
+as it did before (unless you didn't clear your */etc/hosts* file).::
$ curl https://vhost1.example.org
curl: (6) Could not resolve host: vhost1.example.org
@@ -160,22 +160,22 @@ before (unless you didn't clear your */etc/hosts* file.::
The good news is: it will still work if you modify your */etc/hosts* file (huray)::
- $ cat /etc/hosts
- 127.0.0.1 localhost
- 176.31.99.217 vhost1.example.org
- 176.31.99.217 vhost2.example.org
+ $ cat /etc/hosts
+ 127.0.0.1 localhost
+ 176.31.99.217 vhost1.example.org
+ 176.31.99.217 vhost2.example.org
- $ curl https://vhost1.example.org
- vhost1
- $ curl https://vhost2.example.org
- vhost2
+ $ curl https://vhost1.example.org
+ vhost1
+ $ curl https://vhost2.example.org
+ vhost2
And the bad news is::
- $ curl https://176.31.99.217 -H 'Host: vhost1.example.org'
- curl: (51) SSL: certificate subject name 'example.org' does not match target host name '176.31.99.217'
- $ curl https://176.31.99.217 -H 'Host: vhost2.example.org'
- curl: (51) SSL: certificate subject name 'example.org' does not match target host name '176.31.99.217'
+ $ curl https://176.31.99.217 -H 'Host: vhost1.example.org'
+ curl: (51) SSL: certificate subject name 'example.org' does not match target host name '176.31.99.217'
+ $ curl https://176.31.99.217 -H 'Host: vhost2.example.org'
+ curl: (51) SSL: certificate subject name 'example.org' does not match target host name '176.31.99.217'
So why does it fail ?
@@ -184,22 +184,23 @@ website to serve. Nevertheless, when HTTPS is being used, the first thing that
the user agent and the server have to do is negociate the certificate. At this
point, the HTTP headers have just NOT been sent yet.
-So how does the webserver decides which certificate to send ?
+So how does the webserver decide which certificate to send ?
-.. note:: 10 years ago, it was simply not possible. The webservers had to send the same certificate for every virtualhost behind the same address and port.
+.. note:: 10 years ago, that was simply not possible. The webservers had to send the same certificate for every virtualhost behind the same address and port.
-Nowadays, there is a TLS extension, SNI (which stands for Server Name
-Indication) that is supported by most browsers and operating systems. The TLS
-stack present in Windows XP does not support it. As a consequence, Internet
-Explorer under Windows XP cannot use SNI. But most other browsers use their own
+Nowadays, there is a TLS extension named **SNI**, which stands for Server
+Name Indication, which has been created to address this issue. SNI is supported
+by most browsers and operating systems. However, the TLS stack present in
+Windows XP does not support it. As a consequence, Internet Explorer under
+Windows XP cannot use SNI. But most other browsers use their own
TLS stack and can thus use SNI even under XP.
.. note:: See more on Wikipedia: https://en.wikipedia.org/wiki/Server_Name_Indication
Briefly, the extension works by sending the server name along with the first
TLS packet. This way, the remote server knows which certificate to reply with.
-Only then, after the certificate has been negociated, that the server can
-analyse the *Host* header.
+Only then, after the certificate has been negociated, the server can receives
+the HTTP headers and is able to analyse the *Host* header.
.. note:: The host header does not require to match with the server name that has been sent in the TLS packet.
@@ -207,8 +208,8 @@ So what can we do ?
* We can still use the */etc/hosts* file as previously stated.
* We can also use the **--resolve** option of cURL (which does pretty much the
- same thing as modyfiying the */etc/hosts* file (the 443 is the port being
- used): example::
+ same thing as modyfiying the */etc/hosts* file). The 443 is the port being
+ used: example::
$ curl https://vhost1.example.org --resolve vhost1.example.org:443:176.31.99.217
> vhost1