Menu
▾
▴
Re: [TCLCORE] TCLTLS and SNI for multiple HTTPS target hosts
|
From: Alexander S. <a.s...@gm...> - 2025-10-22 14:20:58
|
Hi Brian, thanks a lot for the clarification regarding the new defaults in TclTLS 2.0. It’s great to hear that the -servername is now automatically derived from the host used in tls::socket, and that this behavior aligns with modern SNI expectations. That does indeed sound like it resolves the original issue I had when contacting multiple HTTPS hosts. Also, the note regarding tls::import and the need to explicitly pass -servername makes sense, since the original socket doesn’t retain the hostname context. I appreciate the effort that went into improving the defaults — especially removing the need to manually set TLS protocol versions. These changes make the usage much more intuitive and modern. I’ll experiment with the new v2.0 behavior in practice, but based on your explanation, this seems to cover my use case quite well. Thanks again! Alex > Am 22.10.2025 um 15:59 schrieb Brian O’Hagan <bri...@co...>: > > In TclTLS 2.0 you don’t need to (but can) use the -autoservername anymore. If you provide the right host to the tls::socket command, it will automatically be used for the -servername argument. That is what is used for SNI. You can override this by specifying -servername if you need to use a different name for SNI. As long as you don’t use -servername for the tls::init command, each connection will use its own host for SNI. So, I think the default does what you want now. > > Please note if you use socket then tls::import, you must use the -servername option. Since the socket command does not preserve the host you used, the tls::import command has no other way to get it. > > The the big change is you don’t need to specify which TLS protocol versions to use. It will default to only allowing TLS 1.2 and 1.3, which is what most servers will only allow nowadays. My main goal in the option default changes was so you don't need to figure it out. It will just work. > > >> On Oct 22, 2025, at 3:39 AM, Alexander Schöpe <a.s...@gm...> wrote: >> >> Hi Harald >> thank you for the info. I’m aware of the -autoservername option introduced in TclTLS 1.7.1, but I suspect it may not fully solve the issue in my case, especially when using multiple HTTPS hosts within the same script. >> >> From what I can tell, TclTLS 2 introduces some changes to how these options behave, and the handling seems to differ compared to 1.x versions. I’ve been reviewing the updated documentation here: >> • https://chiselapp.com/user/bohagan/repository/TCLTLS/file?name=doc/tls.html&ci=tip >> • https://chiselapp.com/user/bohagan/repository/TCLTLS/wiki?name=TCLTLS+Redux >> >> It appears that -servername now defaults to the socket host, and -autoservername defaults to true if not explicitly set – which should help in most cases. However, I’m still unsure how to handle dynamic connections to different servers if the TLS context needs to be unique per request. >> >> I saw that Brian posted a detailed message about TclTLS 2 on the newsgroup. That might cover exactly what I’m running into. >> If possible, I’d appreciate it if you could forward his message to the Tcl core mailing list – or perhaps Brian could directly comment on this? >> >> Best, >> Alex >> >>> Am 22.10.2025 um 08:33 schrieb Harald Oehlmann <har...@el...>: >>> Alex, >>> TCLTLS 1.7.1 introduced "-autoservername" option. >>> Does this solve your issue? >>> Harald >>>> Am 22.10.2025 um 08:26 schrieb Alexander Schöpe via Tcl-Core: >>>> Hi Brian, >>>> I have a question regarding the use of tcltls in combination with the http package, specifically concerning Server Name Indication (SNI). >>>> Recently, it seems that some Apache web servers have changed their configuration, and I’m increasingly encountering the 421 Misdirected Request error when making HTTPS requests without explicitly setting the servername field during the TLS handshake. >>>> The error message is typically something like: >>>> The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection. >>>> I’ve been able to work around this issue for a single target server by explicitly registering HTTPS like this: >>>> http::register https 443 [list ::tls::socket -tls1 1 -servername bla.example.com] >>>> However, my question is: >>>> What is the recommended approach if I need to contact multiple different HTTPS servers within the same Tcl script? >>>> Since http::register is global for the https scheme, it doesn’t seem possible to dynamically assign the -servername per connection. >>>> Is there a best practice or suggested workaround – perhaps by creating a custom socket for each http::geturl call with the correct SNI set depending on the target host? >>>> Any advice would be much appreciated. >>>> Best >>>> Alex >>> _______________________________________________ >>> Tcl-Core mailing list >>> Tcl...@li... >>> https://lists.sourceforge.net/lists/listinfo/tcl-core > |
