89 lines
2.2 KiB
Markdown
89 lines
2.2 KiB
Markdown
|
---
|
||
|
title: "SNI Proxy"
|
||
|
date: 2022-11-18T00:16:35+01:00
|
||
|
---
|
||
|
|
||
|
Technik, um HTTPS Verbindungen weiterzuleiten, ohne die Verschlüsselung aufzubrechen
|
||
|
|
||
|
<!--more-->
|
||
|
|
||
|
## SNI
|
||
|
|
||
|
> Server Name Indication (SNI) ist eine Erweiterung des Standards Transport Layer Security (TLS), die es ermöglicht, dass sich mehrere verschlüsselt abrufbare Websites unterschiedlicher Domains einen Server auf dem TLS Port 443 teilen, auch wenn dieser nur eine IP-Adresse besitzt.
|
||
|
|
||
|
<https://de.wikipedia.org/wiki/Server_Name_Indication>
|
||
|
|
||
|
---
|
||
|
|
||
|
## TLS Handshake
|
||
|
|
||
|
Wireshark mitschnitt beim Verbindungsaufbau nach <https://wiki.freifunk-franken.de>
|
||
|
|
||
|
```
|
||
|
...
|
||
|
Transport Layer Security
|
||
|
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
|
||
|
...
|
||
|
Handshake Protocol: Client Hello
|
||
|
...
|
||
|
Extension: server_name (len=29)
|
||
|
...
|
||
|
Server Name Indication extension
|
||
|
...
|
||
|
Server Name: wiki.freifunk-franken.de
|
||
|
...
|
||
|
```
|
||
|
|
||
|
Die aufgerufene Domain wird selbst bei `https://` im Klartext übertragen!
|
||
|
|
||
|
## IPv6
|
||
|
|
||
|
```mermaid
|
||
|
sequenceDiagram
|
||
|
participant client as Client<br>2001:db8::
|
||
|
participant srv as example.com<br/>2001:db8:1::
|
||
|
participant DNS
|
||
|
|
||
|
client ->>+ DNS: AAAA? example.com
|
||
|
DNS -->>- client: 2001:db8::
|
||
|
client ->>+ srv: https://example.com
|
||
|
srv -->- client: Connection
|
||
|
```
|
||
|
|
||
|
## IPv4
|
||
|
|
||
|
```mermaid
|
||
|
sequenceDiagram
|
||
|
participant client as Client<br>192.0.2.1
|
||
|
participant sni as sni.fff.community<br>2001:db8:2::
|
||
|
participant srv as example.com<br/>2001:db8:1::
|
||
|
participant DNS
|
||
|
|
||
|
client ->>+ DNS: A? example.com
|
||
|
DNS -->>- client: 185.220.100.168
|
||
|
client ->>+ sni: https://example.com
|
||
|
sni ->>+ DNS: AAAA? example.com
|
||
|
DNS -->>- sni: 2001:db8:1::
|
||
|
sni ->>+ srv: tcp6://example.com:443
|
||
|
srv -->- client: Connection
|
||
|
deactivate sni
|
||
|
```
|
||
|
|
||
|
## NAT46 Mode
|
||
|
|
||
|
```mermaid
|
||
|
sequenceDiagram
|
||
|
participant client as Client<br>192.0.2.1
|
||
|
participant sni as sni.fff.community<br>2001:db8:2::
|
||
|
participant srv as example.com<br/>2001:db8:1::
|
||
|
|
||
|
client ->>+ sni: https://example.com
|
||
|
sni ->>+ srv: tcp6://example.com:443<br/>192.0.2.1 -> c000:201<br/>from 2001:db8:2::c000:201
|
||
|
srv -->- client: Connection
|
||
|
deactivate sni
|
||
|
```
|
||
|
|
||
|
## Beispiel Hosting im Freifunk
|
||
|
|
||
|
- https://rmon.bareminimum.eu
|