Hi Willy,
> Em 17 de mai de 2019, à(s) 04:03, Willy Tarreau <[email protected]> escreveu: > > Hi Jarno, > > On Thu, May 16, 2019 at 06:49:56PM +0300, Jarno Huuskonen wrote: >> Do the myapp.io and anotherapp.com share same certificate (ie. >> certificate has both myapp.io and anotherapp.com SAN) ? >> >> AFAIK browser can reuse the same tls connection if the certificate >> covers both names. > > Absolutely, I've already read about this though I don't know the > implementations details. Similar concepts have been discussed quite > a bit on the HTTP WG, though I don't undertand the details of each > variation. The main thing is that sometimes the browser will consider > that the connection is safe to be used for another domain name because > the first one is considered authoritative on it. I'm not sure whether > it only learns this from the cert or also from some response headers > though. This is also why I always say that routing on SNI is wrong > and that only the Host header is relevant. Everything was working without a single problem because we in fact route our requests based on Host header. The problem started when we need validate some requests based on client certs and, randomly, the DN and SHA1 headers wasn’t provided. >> When the host/sni differ do you have an earlier >> connection (for example from same ip/port) using matching sni/host in your >> logs ? > > Normally there should indeed be one. Yep, I can now confirm this one. A few minutes before the divergent Host x SNI, the user made some requests to the domain of the “wrong” SNI. ~jm
