W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: SNI vs Host: and a trailing dot

From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 17 Mar 2016 00:15:35 +0100 (CET)
To: Mark Nottingham <mnot@mnot.net>
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <alpine.DEB.2.20.1603170003080.26615@tvnag.unkk.fr>
On Thu, 17 Mar 2016, Mark Nottingham wrote:

>> I suspect HTTPS servers will use the SNI field to serve contents
>
> They shouldn't be doing that (if indeed they do); SNI is only for selecting 
> the certificate, not anything to do with what happens inside HTTP.

Right, I wrote that part too quick without thinking properly. Sorry. Thanks 
for clearing that up!

I've since tested a bunch of random popular HTTPS sites by adding a dot to the 
host name in the Host: header (while keeping it out of the SNI field) and 
quite clearly there's a non-zero amount of servers that deliver completely 
different headers/contents than if the header is sent without the dot.

-- 

  / daniel.haxx.se
Received on Wednesday, 16 March 2016 23:16:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC