server "IPv6"? #25

d47081 · 2024-03-26T23:34:41Z

I'm using Yggdrasil, and want to host capsule without regular domain name.

By defining in config IPv6, e.g. server "[xxx:xxxx:xxxx:xxxx:xx]" - get incomplete header error.

With /etc/hosts it works using domain alias but with IP not

The text was updated successfully, but these errors were encountered:

d47081 · 2024-03-26T23:55:46Z

Found this in logs:

replying to server #3
handshake: missing SNI
201:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:39532 GET  59 Wrong/malformed host or missing SNI

I've tried to add this option, but not helps, and SNI related to the proxy, not local folder.

Here is my config also:

server "xxx:xxxx:xxxx:xxxx::xx" {

	listen on xxx:xxxx:xxxx:xxxx::xx port 1965
	
	cert "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/cert.pem"
	key "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/key.rsa"
	
	root "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/public"
	
	index "index.gmi"
}

omar-polo · 2024-03-27T18:53:01Z

Without knowing how Yggdrasil works, I think the issue is that the client connecting to gmid is not providing any SNI (server name indication).

gmid relies on the client to use SNI to understand to which virtual host the client wants to talk to, and from my understanding IPv4 or IPv6 bare addresses can't be used as host names in TLS.

I'm not sure whether gmid should gracefully handle the omission of the SNI, as it's mandatory per the gemini specification. On the other hand, I see how this could be useful for some niche use-cases.

I guess that for your use-case with Yggdrasil you can't use an hostname?

d47081 · 2024-03-27T19:04:40Z

Yggdrasil works like any IPv6 interface, but in 'death' 0200::/7 range (sometimes validators skipping this fake address)

Just interesting, does gmid support IPv6 in the names? If yes - it will support Yggdrasil also.
If no - would be nice to have this option, because I won't to launch another server :)

omar-polo · 2024-03-29T09:29:56Z

Well, the gemini specification says that

Client and server implementations MUST support TLS SNI (Server Name Indication) and clients MUST include hostname information when making requests for URLs where the authority section is a hostname.

and I probably missed the "where the authority section is a hostname", which seems to imply that it's also OK to make requests without SNI if you want to talk to a bare IPv4 or IPv6 address.

At the moment gmid always require a SNI from the client, I'll see what can be done to relax this requirement.

Thanks!

There are legitimate cases where SNI can't be used, for example when connecting via an IPv6 address, so don't rejects those requests. Instead, fill the requested domain with the address (literal) of the socket they're connected to and attempt to match on it. This possibly still incur in a "won't proxy" error if the client then requests a different hostname. See the github issue #25

omar-polo · 2024-05-29T09:10:37Z

I believe this is now fixed. I've relaxed the requirements for SNI in 1ef0cd0 and then added support for IPv6 addresses in the IRI parsing code in b00f71b, and added some tests.

I've tested this configuration

server "::1" {
        listen on ::1 port 10965
        cert "..."
        key  "..."
        root "..."
}

and works for me. Don't wrap IPv6 addresses in braces [...] in the server and listen directive.

omar-polo added the bug Something isn't working label May 27, 2024

omar-polo added this to the 2.1 milestone May 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

server "IPv6"? #25

server "IPv6"? #25

d47081 commented Mar 26, 2024

d47081 commented Mar 26, 2024

omar-polo commented Mar 27, 2024

d47081 commented Mar 27, 2024

omar-polo commented Mar 29, 2024

omar-polo commented May 29, 2024

server "IPv6"? #25

server "IPv6"? #25

Comments

d47081 commented Mar 26, 2024

d47081 commented Mar 26, 2024

omar-polo commented Mar 27, 2024

d47081 commented Mar 27, 2024

omar-polo commented Mar 29, 2024

omar-polo commented May 29, 2024