>
>
> Hi Mark and Thomas,
>
>
>
> I understood now that Tomcat does not have information other than HOST
> (HTTP 1.1) and :authority: (HTTP2). So there is no way to check what URL
> used to connect and headers.
>
>
>
> I was wondering if TLS Handshake can provide *SNI can be used for this
> purpose**. *
>
> *Server Name Indication (SNI) is an extension of the TLS protocol. The
> client specifies which hostname they want to connect to using the SNI
> extension in the TLS handshake. *
>
>
>
> *SNI will be the hostname that the browser used to negotiate TLS. so my
> idea is to check SNI vs (host or *:authority: ) header and if there is a
> mismatch between host/authority vs. SNI. I can reject requests and throw
> 404 status.
>
>
>
> Do you know how I can *obtain SNI* from the tomcat HttpRequest object?
> What hostname was negotiated with TLS? Do you think the idea of checking
> against SNI and *host or *:authority: headers?
>
>
>
> As always, your opinion and suggestion are always appreciated.
>
>
>
> Thanks,
>
>
>
> Bhavesh
>
