Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"No server name in ClientHello" errors #202

Open
extrawurst opened this issue Oct 22, 2024 · 7 comments
Open

"No server name in ClientHello" errors #202

extrawurst opened this issue Oct 22, 2024 · 7 comments

Comments

@extrawurst
Copy link

I am seeing regular errors like this in my environment even though i am only using ACME for SSL and that works perfectly fine.

rpxy-1         | 2024-10-22T03:37:24.816615Z ERROR No server name in ClientHello
rpxy-1         | 2024-10-22T03:37:24.817029Z ERROR No server name in ClientHello
rpxy-1         | 2024-10-22T03:37:24.818541Z ERROR Failed to build TLS acceptor: peer is incompatible: SignatureAlgorithmsExtensionRequired
rpxy-1         | 2024-10-22T03:37:24.818814Z ERROR Failed to build TLS acceptor: received corrupt message of type MissingData("ClientHelloPayload")
rpxy-1         | 2024-10-22T03:37:24.818886Z ERROR No server name in ClientHello
rpxy-1         | 2024-10-22T03:37:24.871406Z ERROR Failed to build TLS acceptor: peer is incompatible: SignatureAlgorithmsExtensionRequired
rpxy-1         | 2024-10-22T03:37:24.879289Z ERROR Failed to build TLS acceptor: received corrupt message of type InvalidContentType

Any ideas what this is caused by, why it errors even though everything seems to work or how to prevent these errors?

@Gamerboy59
Copy link
Contributor

I'm not seeing this on my instance but to me this looks like somebody is trying to connect with broken protocol support (on client side). Is it within Docker or standalone?

@extrawurst
Copy link
Author

this is inside docker. there is no request logged before or after that could be related to that 🤔

@junkurihara
Copy link
Owner

junkurihara commented Oct 24, 2024

Hi, as @Gamerboy59 mentioned, it seems that a client sent a TLS ClientHello message which is unacceptable to rpxy.

Technically, it is NOT malicious nor invalid. The ServerNameIndication (SNI) is an extension of TLS ClientHello message. It is currently supported by most of TLS clients and servers, and usually used by default for TLS connection based on domain names. So, the use of SNI is a de-facto standard.

But SNI is not enforced to be used, and very legacy clients do not support SNI (maybe ones early 2000s). Also, if a TLS connection is initiated not with a domain name but with an IP address, ClientHello does not contain SNI.

Here recall that certificates are issued to Common Names, i.e., domain names. Also recall that a certificate is presented in the response (ServerHello) to the given ClientHello. So, the SNI is actually mandatory since the server must chose the certificate matched to the requested service, i.e., the domain name.

In rpxy, We designed rpxy by considering the above principle. Specifically, TLS ClientHello with no SNI is rejected since it cannot be routed to any backend app.

@extrawurst
Copy link
Author

@junkurihara thanks for the explanation. I had no idea ClientHello is part of the TLS standard and handshake. would be great if it could log out a bit more info about the request that in effect will be rejected then because of this error

@xkr47
Copy link
Contributor

xkr47 commented Oct 27, 2024

While I think the principle is solid especially given rpxy's effortless multi-domain support, I also feel a bit like "it could be supported". @extrawurst do you have any options to make requests so that they include SNI?

I'm just thinking, if the server has just one certificate installed, maybe requests without SNI could be allowed?

@Gamerboy59
Copy link
Contributor

Gamerboy59 commented Oct 28, 2024

@xkr47 Do you think of something like a wildcard certificate which replies to all requests (even ip only requests where tls is technically impossible with the currently implementes mechanism)? It might be possible but that's not how tls works and is implemented anywhere so it would require huge customization effort. Updating the client to support a recent (and even ten year old) version of tls protocol would be more helpful.

@xkr47
Copy link
Contributor

xkr47 commented Oct 28, 2024

@Gamerboy59 Yeah I know, it does not make much sense from a browser perspective. Have just been working with enough old non-browser clients to know upgrading old existing code can be a pain. But yeah, I kindof agree that it is better that rpxy has this security-first approach, it gives most users a much better experience and comfort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants