Server Name Indication / Host Name Indication

[tomtix]

If i'm not mistaken

SoftEther protocol puts the hostname in the SSL header (TLS/SNI for ServerNameIndication)
AND in the HTTP (over ssl) Protocol BUT
in the HTTP protocol the hostname is replaced by the resolved IP !!

Is that a bug or is it design?

It is very important for me that the real hostname appear in the HTTP header
because I have an overly restrictive business firewall and SSL request is actually going through a reverse proxy that identify the request is for SoftEther VPN thanks to HTTP header hostname.

(I'm pretty sure that NAT-T is being blocked (my client keeps sending DNSKEY? and ICMP request but i never get responses) and using VPN Azure seems to be very laggy AND relying on a external service for a long time is not an option/a risk my organisation is ready to take)

Does someone know what part of the source code I should read to attemp to modify this behaviour?
This would be very kind and helpful.
Thank you.

[kh_tsang]

What error message do you see?


I asked a question about reverse proxy in the past. You can try to forward all traffic for the path /vpnsvc/.
http://www.vpnusers.com/viewtopic.php?f=7&t=2252

[kh_tsang]

However, I think that the best way is to use another public IP or change the port number.

You may want to consult your IT administrator.

[tomtix]

I do not really see an error: when I open a simple openssl s_server
I can see that the Host header
is Host: local_ip_of_client
(this is actually a vpn bridge with a cascade connection to server)

whereas in the softether (vpn bridge) manager, I put a hostname, not an IP.

I succeed in making a work around:
in source code I replaced most occurences of NewHttpHeader("Host", some_var)
by NewHttpHeader("Host", "hard_written_host_name")

and I successfully connected over the reverse proxy but it seems
that traffic won't go over that connection. I don't know if the problem comes from SoftEther
or from the firewall policy of the reverse-proxy.

I'm meeting a administrator today. I will maybe get more information about what is happening in this reverse-proxy


> user the path /vpnsvc/

where Do i put this path.
If i put it in the soft ether (vpn bridge) manager, cascade connection section.
The connection fails with error message:
Error 1: connection to server failed, ...

(this may come from the modification I made though)

[kh_tsang]

Have you tried using multiple TCP connections and configure a maximum lifetime for each connection such as 3 second?

[tomtix]

I just tried the 3s tcp connection (default is 8 tcp socket for vpnbridge cascade) and nothing changed at first glance.

I just spoke with the administrator he looked the packet in the (Firewall/reverse Proxy: it is microsoft TMG forefront threat something ... which has both the functionality of reverse-proxy (working with hostname) and firewall) and it seems that there is some packet that is malformed and the connection is often resetted (likely because of this problem) but he couldn't get more information on this packet from this TMG thing, this is not very verbose.

For more information about what I done in the source code (if someone knows how the whole thing is working) the 5 lines I changed are:
1 in Cedar/Wpc.c : search for AddHttpValue(h, NewHttpValue("host", data->HeaderHostname);
2 in Cedar/Protocol.c : AddHttpValue(h, NewHttpValue("host", ip_str);
and AddHttpValue(h, NewHttpValue("host", server_host_name_tmp);

2 in Mayaqua/Protocol.c :
AddHttpValue(h, NewHttpValue("host", ip_str); (both line were identical)

and I replaced data->HeaderHostname, ip_str, server_host_name_tmp with my hard coded hostname.


EDIT: the reverse proxy add the following header:
Reverse-Via: CLOUD-TMG-2010

could it possibly create bugs?

[kh_tsang]

Is it possible to remove the reverse-via header?