login about faq

I testet the "Download()" function in CkHTTP to get content from a webserver with TLS SNI (RFC3546) enabled. But no hostname was send to it. With SNI the client send the hostname as part of the Client Hello in TLS. This is supported by every major webbrowser. The advantage for the server side is, that more than one HTTPS-website can be hosted with one IP and on the same port.
Is there a possibility to enable it or is it planned as new feature?

asked Sep 03 '14 at 19:02

serras's gravatar image

serras
666611


12next page »

This is implemented for the next version (v9.5.0.44). If you would like to test a pre-release, please indicate the exact build required (operating system, programming language, architecture, etc.)

link

answered Sep 04 '14 at 10:10

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

That is great. I'm happy to test it with a pre-release. We use the Microsoft Visual Studio C++ 2010 SP1 32 Bit (Windows) Build.

link

answered Sep 04 '14 at 10:17

serras's gravatar image

serras
666611

link

answered Sep 05 '14 at 08:42

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

I have tested the pre-release build. It is working if no http proxy is configured. Then the SNI extension is send. If a http proxy is set, the extension is missing in the Client Hello message of the TLS-handshake. I checked it with Wireshark.
Can you have a look at it. Thanks.

link

answered Sep 09 '14 at 10:37

serras's gravatar image

serras
666611

Yes, I'll have a look...

PS> If the proxy is an IP address, then no SNI can be used. SNI only makes sense when it's a domain name, not a numeric dotted IP address.

link

answered Sep 11 '14 at 20:51

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

edited Sep 11 '14 at 20:52

I dont know if you missunderstand me. I do not expect that the SNI is send at the connect to the HTTP proxy, but to the webserver behind the proxy.

CkHttp http;
http.put_ProxyDomain("proxy.example.com");
http.put_ProxyPort(3128);
http.Download("https://bob.sni.velox.ch/","test.html");

https://bob.sni.velox.ch/ is a test page for SNI that is linked at wikipedia.
Without a http proxy is set the correct webpage bob.sni.velox.ch is called. With the put_ProxyDomain() the wrong page alice.sni.velox.ch is delivered by the webserver.

link

answered Sep 12 '14 at 08:31

serras's gravatar image

serras
666611

Thanks, but it is the proxy that establishes the SSL/TLS connection with the HTTP server. Therefore, it is the proxy software that must use SNI. Does the proxy seem to use SNI when a browser (FireFox) navigates to "https://bob.sni.velox.ch/" ? If so, and if Chilkat does not, then it can only be that there is some sort of information in the HTTP request that causes SNI to be used. I can't think of anything that would be different. I would fully expect Firefox to have the same behavior as Chilkat when going through a proxy, because neither Firefox or Chilkat are establishing the actual TLS connection with the web server.

link

answered Sep 12 '14 at 08:45

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

If I use Firefox the connection to the correct website is established. Our HTTP proxy is the common product Squid proxy.
When a HTTPS connection is established via a proxy, the Firefox and Chilkat sends via HTTP a "CONNECT bob.sni.velox.ch 443" to the Squid. The Squid answers with a "HTTP/1.1 200 Connection establishedrn". After that the TLS handshake with "Client Hello" begins. The Firefox include a server_name extension and Chilkat client do not.
As far as I know Squid is not like a man-in-the-middle at a HTTPS-connection, but after the first CONNECT sends everything without change from the client to the webserver and reverse.

I send you the Wireshark Log from the test (only the relavant part) and the Chilkat DebugLog via Email to the support address.

link

answered Sep 12 '14 at 10:48

serras's gravatar image

serras
666611

Serras, ahhh yes! My mistake. I forgot. I'll take care of it..

link

answered Sep 12 '14 at 10:55

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

The pre-release build is updated (same URL).

http://www.chilkatsoft.com/download/preRelease/chilkat-9.5.0-x86-vc10-sp1.zip

This should fix the HTTP proxy case. It also fixes the case for SOCKS proxies as well..

link

answered Sep 15 '14 at 08:11

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×32
×17
×13

Asked: Sep 03 '14 at 19:02

Seen: 1,621 times

Last updated: Oct 14 '14 at 09:26

powered by OSQA