On Mon, Jan 14, 2019 at 02:48:58PM -0500, John Levine wrote:
> Today's question: I would like to log the SNI in the Received header.
> Where should I put it?
>
> One possibilty would be to use the SNI name as the by-domain in the BY
> clause, but that makes it hard to tell that the name came from SNI
> rather than by default. I suppose I could put it in a comment but
> that's ugly. In retrospect, RFC8461 should have added an SNI clause
> to Received, like RFC 8314 added tls and group clauses.
FWIW, Postfix puts TLS connection details in comments:
Received: from mail.ietf.org (mail.ietf.org [4.31.198.44])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by straasha.imrryr.org (Postfix) with ESMTPS id 7D12433E8F
for <[email protected]>; Mon, 14 Jan 2019 15:22:19 -0500 (EST)
The "using TLS X with cipher Y" syntax admits further refinement, thus
for TLS 1.3 the comment becomes (when client certs are also present):
Received: from example.com (localhost [127.0.0.1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
client-signature ECDSA (P-256) client-digest SHA256)
(Client CN "example.com", Issuer "example.com" (not verified))
by example.com (Postfix) with ESMTPS id 8956D2012E3208
for <[email protected]>; Mon, 14 Jan 2019 15:46:32 -0500 (EST)
so, just the like the trace header itself, the comment content,
after "with", is a list of key-value pairs. My plan is to add SNI
there:
Received: from example.com (localhost [127.0.0.1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
client-signature ECDSA (P-256) client-digest SHA256
server_name example.com)
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
