Open
Description
What's missing?
Not sure if I should file this as a bug or a feature request... doing the latter for now.
It appears that Rocket may be violating the HTTP (TLS extension) spec by not validating (or optionally not letting the crate user validate) the host header provided to the server against the TLS handshake requested SNI.
relevant http/1.1 spec: https://www.rfc-editor.org/rfc/rfc6066#section-11.1
relevant http/2 spec: https://httpwg.org/specs/rfc7540.html#reuse
Ideal Solution
No response
Why can't this be impl 6A38 emented outside of Rocket?
It appears only the TlsConfig is presented via the request.remote() function. It would be best if it provided the resolved ServerConfig instead... and also the handshake data which contains the requested SNI.
Are there workarounds usable today?
No response
Alternative Solutions
No response
Additional Context
No response
System Checks
- I do not believe that this feature can or should be implemented outside of Rocket.
- I was unable to find a previous request for this feature.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Backlog