[dnsdist] A SNI with a raw IPv6 address closes the DoT connection
Remi Gacogne
remi.gacogne at powerdns.com
Mon Mar 30 10:15:41 UTC 2020
Hello Stephane,
On 3/27/20 12:20 PM, Stephane Bortzmeyer via dnsdist wrote:
> I observe that sending a SNI which is a host name or an IPv4 address
> works fine but when the SNI is a raw IPv6 address, the TLS connection
> is immediately closed by the server.
>
> Is it my fault or the one of dnsdist?
What tool are you using to test? I can't reproduce that behaviour with
openssl s_client, but I'm not sure I'm sending a "raw IPv6 address" in
the same way you are:
openssl s_client -connect 127.0.0.1:853 -servername 2001:db8::1
With this command the DoT connection is accepted by dnsdist (with the
OpenSSL DoT provider) and `dq:getServerNameIndication()` returns
'2001:db8::1'.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200330/958069c7/attachment.sig>
More information about the dnsdist
mailing list