Hi Mark, I am sorry for delayed response.
Basically, when request url does not match host header then I would reject it. For example, curl -vvvv -k "https://www.mydomain.com/login"; -H 'Host: attackerHostHeaderInjection.com' Based curl -vvv output, tomcat server does not know host name used www.mydomain.com but Host header is attackerHostHeaderInjection.com. In this case I would like to reject request send 403 or 404. As you explained that request Line does not have Full URL, allowHostHeaderMismatch will not reject. So my idea is using SNI I could get hostname and compare with HOST header or :authority and reject it. Is it possible to request new feature on Tomcat to get or expose SNI name used by client? Thanks, Bhavesh On Tue, Aug 22, 2023, 3:03 PM Mark Thomas <ma...@apache.org> wrote: > Tomcat doesn't expose the SNI information. > > What problem are you trying to solve here? > > Tomcat rejects requests with mis-matched host headers by default and can > be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't > need to write any extra code for this. > > Mark > > > On 21/08/2023 12:59, Bhavesh Mistry wrote: > >> > >> > >> Hi Mark and Thomas, > >> > >> > >> > >> I understood now that Tomcat does not have information other than HOST > >> (HTTP 1.1) and :authority: (HTTP2). So there is no way to check what > URL > >> used to connect and headers. > >> > >> > >> > >> I was wondering if TLS Handshake can provide *SNI can be used for this > >> purpose**. * > >> > >> *Server Name Indication (SNI) is an extension of the TLS protocol. The > >> client specifies which hostname they want to connect to using the SNI > >> extension in the TLS handshake. * > >> > >> > >> > >> *SNI will be the hostname that the browser used to negotiate TLS. so my > >> idea is to check SNI vs (host or *:authority: ) header and if there is > a > >> mismatch between host/authority vs. SNI. I can reject requests and > throw > >> 404 status. > >> > >> > >> > >> Do you know how I can *obtain SNI* from the tomcat HttpRequest object? > >> What hostname was negotiated with TLS? Do you think the idea of > checking > >> against SNI and *host or *:authority: headers? > >> > >> > >> > >> As always, your opinion and suggestion are always appreciated. > >> > >> > >> > >> Thanks, > >> > >> > >> > >> Bhavesh > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
