Tomcat doesn't expose the SNI information. What problem are you trying to solve here?
Tomcat rejects requests with mis-matched host headers by default and can be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't need to write any extra code for this.
Mark On 21/08/2023 12:59, Bhavesh Mistry wrote:
Hi Mark and Thomas, I understood now that Tomcat does not have information other than HOST (HTTP 1.1) and :authority: (HTTP2). So there is no way to check what URL used to connect and headers. I was wondering if TLS Handshake can provide *SNI can be used for this purpose**. * *Server Name Indication (SNI) is an extension of the TLS protocol. The client specifies which hostname they want to connect to using the SNI extension in the TLS handshake. * *SNI will be the hostname that the browser used to negotiate TLS. so my idea is to check SNI vs (host or *:authority: ) header and if there is a mismatch between host/authority vs. SNI. I can reject requests and throw 404 status. Do you know how I can *obtain SNI* from the tomcat HttpRequest object? What hostname was negotiated with TLS? Do you think the idea of checking against SNI and *host or *:authority: headers? As always, your opinion and suggestion are always appreciated. Thanks, Bhavesh
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
