[squid-users] host_verify_strict and wildcard SNI

Steve Hill steve at opendium.com
Thu Jul 7 16:41:25 UTC 2016 

On 07/07/16 02:07, Alex Rousskov wrote:

> Q1. Is wildcard SNI "legal/valid"?
>
> I do not know the answer to that question. The "*.example.com" name is
> certainly legal in many DNS contexts. RFC 6066 requires HostName SNI to
> be a "fully qualified domain name", but I failed to find a strict-enough
> RFC definition of an FQDN that would either accept or reject wildcards
> as FQDNs. I would not be surprised if FQDN syntax is not defined to the
> level that would allow one to reject wildcards as FQDNs based on syntax
> alone.

Wildcards can be specified in DNS zonefiles, but I don't think you can 
ever look them up directly (rather, you look up "something.example.com" 
and the DNS server itself decides to use the wildcard record to fulfil 
that request - you never look up *.example.com itself).

> Q2. Can wildcard SNI "make sense" in some cases?
>
> Yes, of course. The client essentially says "I am trying to connect to
> _any_ example.com subdomain at this IP:port address. If you have any
> service like that, please connect me". That would work fine in
> deployment contexts where several servers with different names provide
> essentially the same service and the central "routing point" would pick
> the "best" service to use. I am not saying it is a good idea to use
> wildcard SNIs, but I can see them "making sense" in some cases.

Realistically, shouldn't the SNI reflect the DNS request that was made 
to find the IP of the server you're connecting to?  You would never make 
a DNS request for '*.example.com' so I don't see a reason why you would 
send an SNI that has a larger scope than the DNS request you made.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com

More information about the squid-users mailing list