-
-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"No server name in ClientHello" errors #202
Comments
I'm not seeing this on my instance but to me this looks like somebody is trying to connect with broken protocol support (on client side). Is it within Docker or standalone? |
this is inside docker. there is no request logged before or after that could be related to that 🤔 |
Hi, as @Gamerboy59 mentioned, it seems that a client sent a TLS Technically, it is NOT malicious nor invalid. The But SNI is not enforced to be used, and very legacy clients do not support SNI (maybe ones early 2000s). Also, if a TLS connection is initiated not with a domain name but with an IP address, Here recall that certificates are issued to Common Names, i.e., domain names. Also recall that a certificate is presented in the response ( In |
@junkurihara thanks for the explanation. I had no idea |
While I think the principle is solid especially given rpxy's effortless multi-domain support, I also feel a bit like "it could be supported". @extrawurst do you have any options to make requests so that they include SNI? I'm just thinking, if the server has just one certificate installed, maybe requests without SNI could be allowed? |
@xkr47 Do you think of something like a wildcard certificate which replies to all requests (even ip only requests where tls is technically impossible with the currently implementes mechanism)? It might be possible but that's not how tls works and is implemented anywhere so it would require huge customization effort. Updating the client to support a recent (and even ten year old) version of tls protocol would be more helpful. |
@Gamerboy59 Yeah I know, it does not make much sense from a browser perspective. Have just been working with enough old non-browser clients to know upgrading old existing code can be a pain. But yeah, I kindof agree that it is better that rpxy has this security-first approach, it gives most users a much better experience and comfort. |
I am seeing regular errors like this in my environment even though i am only using ACME for SSL and that works perfectly fine.
Any ideas what this is caused by, why it errors even though everything seems to work or how to prevent these errors?
The text was updated successfully, but these errors were encountered: