-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set SNI for VPN connection #1146
Conversation
@astibal Do we really want SNI to be optional? We already have option |
By the way, we must use standard C style for the source code; otherwise it won't pass the CI tests. For example: |
Hi Dimitri,
My pull request makes SNI enabled by default, disabled with
Yes, I am aware and using it too when needed. This is however different problem (admittedly not a big one): SNI is not present in
I will reformat the code to look as required Thanks, Ales |
@DimitriPapadopoulos I have fixed I followed |
My question still stands, why make SNI optional? I mean, I understand you have made it the default, but why would end-users need option |
A simple rebase will fix the Codespell CI job error. |
I see! I just considered it would be fair to add an option which would revert to original behavior. |
I just feel that it won't be needed in practice. The only possible reason for failure would be that the FortiGate chokes on the SNI request. However, this is not the case as far as I know. |
Patch assumes gateway is a hostname. If someone uses IP, this IP will be sent in SNI in its string form. At any rate I would be happy if you accept the patch in whichever form you like. With or without |
Perhaps it woiuld make sense to have an |
Hmm, taking it from this angle is also ok. I am happy with all versions:
It's indeed your call now. I can redo it once more, but want to know what is approach with a potential to be accepted :) |
I would most certainly accept the PR with |
The rationale is that |
It would be great if you could test on your side. @mrbaseman Your opinion would be valued, especially on the decision to always define the SNI during TLS handshake in branch sni. |
bb5917c
to
6a5a91f
Compare
well, since my review has been requested: 91527f2 looks good to me ;) |
@mrbaseman Thank you Martin. I couldn't find corner cases where SNI breaks the VPN negotiation, since the server name can be modified using option |
It is usually good practice to set SNI for the TLS connection.
While this is not a huge issue as SSLVPN is not requiring it, it's probably a good idea to set it:
I set the default to ON (don't think it should be OFF by default). Option
--no-sni
will indeed disable SNI to be set and sent.