Menu
▾
▴
Re: [TCLCORE] TCLTLS and SNI for multiple HTTPS target hosts
|
From: Alexander S. <a.s...@gm...> - 2025-10-22 08:39:48
|
Hi Harald,
thank you for the info. I’m aware of the -autoservername option introduced in TclTLS 1.7.1, but I suspect it may not fully solve the issue in my case, especially when using multiple HTTPS hosts within the same script.
From what I can tell, TclTLS 2 introduces some changes to how these options behave, and the handling seems to differ compared to 1.x versions. I’ve been reviewing the updated documentation here:
• https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html&ci=tip
• https://chiselapp.com/user/bohagan/repository/TCLTLS/wiki?name=TCLTLS+Redux
It appears that -servername now defaults to the socket host, and -autoservername defaults to true if not explicitly set – which should help in most cases. However, I’m still unsure how to handle dynamic connections to different servers if the TLS context needs to be unique per request.
I saw that Brian posted a detailed message about TclTLS 2 on the newsgroup. That might cover exactly what I’m running into.
If possible, I’d appreciate it if you could forward his message to the Tcl core mailing list – or perhaps Brian could directly comment on this?
Best,
Alex
> Am 22.10.2025 um 08:33 schrieb Harald Oehlmann <har...@el...>:
>
> Alex,
> TCLTLS 1.7.1 introduced "-autoservername" option.
> Does this solve your issue?
> Harald
>
> Am 22.10.2025 um 08:26 schrieb Alexander Schöpe via Tcl-Core:
>> Hi Brian,
>> I have a question regarding the use of tcltls in combination with the http package, specifically concerning Server Name Indication (SNI).
>> Recently, it seems that some Apache web servers have changed their configuration, and I’m increasingly encountering the 421 Misdirected Request error when making HTTPS requests without explicitly setting the servername field during the TLS handshake.
>> The error message is typically something like:
>> The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.
>> I’ve been able to work around this issue for a single target server by explicitly registering HTTPS like this:
>> http::register https 443 [list ::tls::socket -tls1 1 -servername bla.example.com]
>> However, my question is:
>> What is the recommended approach if I need to contact multiple different HTTPS servers within the same Tcl script?
>> Since http::register is global for the https scheme, it doesn’t seem possible to dynamically assign the -servername per connection.
>> Is there a best practice or suggested workaround – perhaps by creating a custom socket for each http::geturl call with the correct SNI set depending on the target host?
>> Any advice would be much appreciated.
>> Best
>> Alex
> _______________________________________________
> Tcl-Core mailing list
> Tcl...@li...
> https://lists.sourceforge.net/lists/listinfo/tcl-core
|
