[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache i

From: Daniel Kahn Gillmor
Subject: Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with ""
Date: Fri, 08 Nov 2013 17:18:45 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0

On 11/08/2013 03:33 PM, Nat Howard wrote:
Unfortunately, I made the mistake of asking Kristian if I was done now.   And his answer 
was, "Make sure to setup the vhost for"
and he was kind enough to give me the exact command that should work:

  curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host:'   

as your apache error logs point out, this is is not actually the correct command, because curl is extracting the hostname for SNI from the URL string (before the TLS handshake completes), but is sending the overridden Host: HTTP header (after the TLS handshake). No sane HTTP client will do this, so i would not expect your server to consider it a valid request.

[Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname provided via SNI and hostname provided via HTTP are different.


If you want to test this explicitly (that is, you want the connection to go to your server and your server only, but you want to see how it looks when someone lands there as the result of the DNS rr pool), you can override the DNS system by putting a line in your /etc/hosts:

(replacing with your server's public-facing IP address, of course) and then make a normal connection:

 curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \

Once you've tested it, remember to remove or comment out the line from /etc/hosts!

Now, the interesting thing is, if I change the curl command just a little bit, so it uses the "-H" arg with 
"" instead of "", I get a "correct" 
response -- that is, my stats in HTML, and no messages in the log file.   That is: this works:

   curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host:'  

right, because this is what curl would have sent as the Host: HTTP header anyway :)

  I noticed that some of you in the "hkps green zone" on the status page *also* 
don't have this working (I won't name names!).

If there are misconfigurations or problems, please do name names. We learn from each others' instruction and diagnostics on this mailing list :)

 In fact, almost all of the ones I tried didn't have this working (Yes, I 
changed the https name as appropriate in the curl command).   However 
congratulations to --

curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost:' ''

results in perfectly good information.   How'd you guys do it?

yeah, what are they doing ?  that's pretty weird.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]