Context: IIS website with hostname header configured and TLS certificate.
When a client initiates a connection to the specified site, is this the right flow ?
- Client (browser) performs DNS lookup
- TCP connection is established to the server
- Client (browser) constructs the TLS payload where it include the SNI which is the site name and begins the handshake with the server
- Server looks for the certificate with the specified name in its site bindings list of certificates and responds back
- Once TLS is established, the IIS webserver routes the HTTP request to the specific site using the HOST header value.
As per my understanding, the SNI is the base information for the server to lookup for the certificate of the site.
What does it happen if after the TLS handshake I actually modify the HTTP Host header to target a different website ? Is this possible ?
RFC 6066 section 11.1 says, in part:
Since it is possible for a client to present a different
server_name in the application protocol, application server
implementations that rely upon these names being the same MUST
check to make sure the client did not present a different name in
the application protocol.
How web servers actually do this can vary. Apache and nginx both reject such connections outright, though strangely Apache has an option to turn this off. No idea what IIS does, but hopefully it is sane. You can easily test it yourself.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.