[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache i

From: Nat Howard
Subject: Re: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with ""
Date: Fri, 8 Nov 2013 19:09:57 -0500

Thanks, Daniel and Kristian, for all your help -- I'll give Daniel's plan a 
try.   No news (and appearing in the green for hkps on 
the status page) will be good news.

On Nov 8, 2013, at 5:18 PM, Daniel Kahn Gillmor wrote:

> On 11/08/2013 03:33 PM, Nat Howard wrote:
>> Unfortunately, I made the mistake of asking Kristian if I was done now.   
>> And his answer was, "Make sure to setup the vhost for 
>> and he was kind enough to give me the exact command that should work:
>>  curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: 
>> "";
> as your apache error logs point out, this is is not actually the correct 
> command, because curl is extracting the hostname for SNI from the URL string 
> (before the TLS handshake completes), but is sending the overridden Host: 
> HTTP header (after the TLS handshake).  No sane HTTP client will do this, so 
> i would not expect your server to consider it a valid request.
>> [Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname 
>> provided via SNI and hostname 
>> provided via HTTP are different.
> exactly.
> If you want to test this explicitly (that is, you want the connection to go 
> to your server and your server only, but you want to see how it looks when 
> someone lands there as the result of the DNS rr pool), you can override the 
> DNS system by putting a line in your /etc/hosts:
> (replacing with your server's public-facing IP address, of course) 
> and then make a normal connection:
> curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem \
> Once you've tested it, remember to remove or comment out the line from 
> /etc/hosts!
>> Now, the interesting thing is, if I change the curl command just a little 
>> bit, so it uses the "-H" arg with "" instead of 
>> "", I get a "correct" response -- that is, my 
>> stats in HTML, and no messages in the log file.   That is: this works:
>>   curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host: 
>>'  "";
> right, because this is what curl would have sent as the Host: HTTP header 
> anyway :)
>>  I noticed that some of you in the "hkps green zone" on the status page 
>> *also* don't have this working (I won't name names!).
> If there are misconfigurations or problems, please do name names.  We learn 
> from each others' instruction and diagnostics on this mailing list :)
>> In fact, almost all of the ones I tried didn't have this working (Yes, I 
>> changed the https name as appropriate in the curl command).   However 
>> congratulations to --
>> curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost: 
>>' ''
>> results in perfectly good information.   How'd you guys do it?
> yeah, what are they doing ?  that's pretty weird.
>       --dkg
> _______________________________________________
> Sks-devel mailing list
> address@hidden

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

reply via email to

[Prev in Thread] Current Thread [Next in Thread]