3

I'm using winhttp in order to establish https connection on port 443 with my remote. However, the server running this service also contains more services on the same https port (443), so it uses SNI in order to resolve the requested session.

However, the server doesn't expect to get the hostname as SNI, since it uses single URL for all services. instead, the SNI address is chosen not according to the URL but according to some other string notation (i.e. service_api or service_web_if ...)

In my client connection flow, I set the URL in method WinHttpConnect which also set the SNI accordingly, and the actual SSL/TLS handshake is made when calling WinHttpSentRequest. I wonder how can I change the SNI value from the default URL value after calling WinHttpConnect.

So far, while investigating possible solutions, I've learned about HTTP_SERVICE_CONFIG_SSL_SNI_KEY structure which is set by method HttpSetServiceConfiguration along with the matching certificate for this SNI, but this seems to be related to the server side configuration. Besides that, I haven't found any references for such action unfortunately.

Perhaps anybody ever used non-default SNI using winhttp API and can tell me how to do so ? is the only option to do so is doing the SSL handshake using some lower level API such as schannel, and than switching back to winhttp ?

if it's not possible, perhaps there's an option to use extended hostname with directory tree in order to get multiple sni on a single url...

Zohar81
  • 4,554
  • 5
  • 29
  • 82
  • In https://tools.ietf.org/html/rfc6066#section-3 SNI is clearly defined as being an hostname for the content to be given. If some TLS stack is doing differently, it is not following the TLS standard. Are you sure your server uses the SNI extension and not something else to provide another information that is not an hostname? ""HostName" contains the fully qualified DNS hostname of the server, as understood by the client. The hostname is represented as a byte string using ASCII encoding without a trailing dot." – Patrick Mevzek Aug 14 '19 at 23:18
  • @PatrickMevzek, Fortunately i control also the server side (not me in personal but someone i can influence :-) ).. the spec clearly says that in the future, SNI will support also other names rather than the virtual hotstname, right ? but right now, it seems like the case ... Perhaps it's optional to avoid buying multiple dns addresses and use multiple hostnames on single dns address ? – Zohar81 Aug 15 '19 at 04:22
  • 1
    @PatrickMevzek, one more thing ... the reason I first came up with this architecture, is because openSSL allows this spec exception using the following command `OpenSSL s_client -servername -connect ` where `sni` and `url` may be different – Zohar81 Aug 15 '19 at 07:05
  • How is this any different than your [previous question](https://stackoverflow.com/q/57479973/65863)? You are asking the same question just in a different way – Remy Lebeau Aug 15 '19 at 07:11
  • @RemyLebeau, The previous question is more into the specific case of using ip and sni together. Here I'm asking about the general concept of SNI and if it may be any different from the dns name. Perhaps I wasn't clear enough from the wording – Zohar81 Aug 15 '19 at 07:17
  • "the spec clearly says that in the future, SNI will support also other names rather than the virtual hotstname, right ?" yes, but nothing is defined. "because openSSL allows this spec exception using the following command OpenSSL s_client -servername -connect where sni and url may be different " you pass an hostname + port after connect, not an URL, and yes the hostname there could be different than the hostname in servername, but it is still an hostname, not anything else – Patrick Mevzek Aug 15 '19 at 14:27

0 Answers0