Cannot get default_sni to work #7325
Description
1. Environment
1a. Operating system and version
Ubuntu 24.04.3 LTS
x86_64
1b. Caddy version (run caddy version or paste commit SHA)
v2.10.2
2. Description
2a. What happens
I am trying to support connections from a Beckhoff TwinCAT 3 IoT HTTPS/REST client, which seemingly does not send SNI.
My assumption was the following option would do the trick:
{
default_sni imusic.co
}However, the connection does not succeed:
$ gnutls-cli --disable-sni -p 443 imusic.co
Processed 147 CA certificate(s).
Resolving 'imusic.co:443'...
Connecting to '83.94.121.59:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [80]: Internal error2c. Log output
No log entries are seen on the server.
Below is the output from nutls-cli --verbose --debug=9999 --disable-sni -p 443 imusic.co:
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1536
|<3>| ASSERT: x509.c[gnutls_x509_crt_get_subject_unique_id]:4029
|<3>| ASSERT: x509.c[gnutls_x509_crt_get_issuer_unique_id]:4076
Processed 147 CA certificate(s).
Resolving 'imusic.co:443'...
Connecting to '83.94.121.59:443'...
|<5>| REC[0xb2d290000]: Allocating epoch #0
|<2>| added 6 protocols, 29 ciphersuites, 22 sig algos and 10 groups into priority list
|<5>| REC[0xb2d290000]: Allocating epoch #1
|<4>| HSK[0xb2d290000]: Adv. version: 3.3
|<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
|<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
|<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
|<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
|<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
|<4>| EXT[0xb2d290000]: Preparing extension (Server Name Indication/0) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (Extended Master Secret/23) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension Extended Master Secret/23 (0 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Client Certificate Type/19) for 'client hello'
|<4>| EXT[0xb2d290000]: Client certificate type was set to default cert type (X.509). We therefore do not send this extension.
|<4>| EXT[0xb2d290000]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Maximum Record Size/1) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (Supported EC Point Formats/11) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension Supported EC Point Formats/11 (2 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Record Size Limit/28) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension Record Size Limit/28 (2 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Supported Groups/10) for 'client hello'
|<4>| EXT[0xb2d290000]: Sent group SECP256R1 (0x17)
|<4>| EXT[0xb2d290000]: Sent group SECP384R1 (0x18)
|<4>| EXT[0xb2d290000]: Sent group SECP521R1 (0x19)
|<4>| EXT[0xb2d290000]: Sent group X25519 (0x1d)
|<4>| EXT[0xb2d290000]: Sent group X448 (0x1e)
|<4>| EXT[0xb2d290000]: Sent group FFDHE2048 (0x100)
|<4>| EXT[0xb2d290000]: Sent group FFDHE3072 (0x101)
|<4>| EXT[0xb2d290000]: Sent group FFDHE4096 (0x102)
|<4>| EXT[0xb2d290000]: Sent group FFDHE6144 (0x103)
|<4>| EXT[0xb2d290000]: Sent group FFDHE8192 (0x104)
|<4>| EXT[0xb2d290000]: Sending extension Supported Groups/10 (22 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Signature Algorithms/13) for 'client hello'
|<4>| EXT[0xb2d290000]: sent signature algo (9.4) ML-DSA-44
|<4>| EXT[0xb2d290000]: sent signature algo (9.5) ML-DSA-65
|<4>| EXT[0xb2d290000]: sent signature algo (9.6) ML-DSA-87
|<4>| EXT[0xb2d290000]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0xb2d290000]: sent signature algo (8.9) RSA-PSS-SHA256
|<4>| EXT[0xb2d290000]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
|<4>| EXT[0xb2d290000]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0xb2d290000]: sent signature algo (8.7) EdDSA-Ed25519
|<4>| EXT[0xb2d290000]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0xb2d290000]: sent signature algo (8.10) RSA-PSS-SHA384
|<4>| EXT[0xb2d290000]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
|<4>| EXT[0xb2d290000]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0xb2d290000]: sent signature algo (8.8) EdDSA-Ed448
|<4>| EXT[0xb2d290000]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0xb2d290000]: sent signature algo (8.11) RSA-PSS-SHA512
|<4>| EXT[0xb2d290000]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
|<4>| EXT[0xb2d290000]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0xb2d290000]: sent signature algo (2.1) RSA-SHA1
|<4>| EXT[0xb2d290000]: sent signature algo (2.3) ECDSA-SHA1
|<4>| EXT[0xb2d290000]: Sending extension Signature Algorithms/13 (40 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Supported Versions/43) for 'client hello'
|<2>| Advertizing version 3.4
|<2>| Advertizing version 3.3
|<2>| Advertizing version 3.2
|<2>| Advertizing version 3.1
|<4>| EXT[0xb2d290000]: Sending extension Supported Versions/43 (9 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Session Ticket/35) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension Session Ticket/35 (0 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (ALPN/16) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (OCSP Status Request/5) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension OCSP Status Request/5 (5 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Post Handshake Auth/49) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (Compress Certificate/27) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (Safe Renegotiation/65281) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension Safe Renegotiation/65281 (1 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (SRTP/14) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (Cookie/44) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (Encrypt-then-MAC/22) for 'client hello'
|<4>| EXT[0xb2d290000]: Sending extension Encrypt-then-MAC/22 (0 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Server Certificate Type/20) for 'client hello'
|<4>| EXT[0xb2d290000]: Server certificate type was set to default cert type (X.509). We therefore do not send this extension.
|<4>| EXT[0xb2d290000]: Preparing extension (Key Share/51) for 'client hello'
|<4>| EXT[0xb2d290000]: sending key share for SECP256R1
|<4>| EXT[0xb2d290000]: sending key share for X25519
|<4>| EXT[0xb2d290000]: Sending extension Key Share/51 (107 bytes)
|<4>| EXT[0xb2d290000]: Preparing extension (Early Data/42) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (ClientHello Padding/21) for 'client hello'
|<4>| EXT[0xb2d290000]: Preparing extension (Pre Shared Key/41) for 'client hello'
|<4>| HSK[0xb2d290000]: CLIENT HELLO was queued [374 bytes]
|<11>| HWRITE: enqueued [CLIENT HELLO] 374. Total 374 bytes.
|<11>| HWRITE FLUSH: 374 bytes in buffer.
|<5>| REC[0xb2d290000]: Preparing Packet Handshake(22) with length: 374 and min pad: 0
|<9>| ENC[0xb2d290000]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<11>| WRITE: enqueued 379 bytes for 0x5. Total 379 bytes.
|<5>| REC[0xb2d290000]: Sent Packet[1] Handshake(22) in epoch 0 and length: 379
|<11>| HWRITE: wrote 1 bytes, 0 bytes left.
|<11>| WRITE FLUSH: 379 bytes in buffer.
|<11>| WRITE: wrote 379 bytes, 0 bytes left.
|<3>| ASSERT: buffers.c[get_last_packet]:1139
|<10>| READ: Got 5 bytes from 0x5
|<10>| READ: read 5 bytes from 0x5
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0xb2d290000]: SSL 3.3 Alert packet received. Epoch 0, length: 2
|<5>| REC[0xb2d290000]: Expected Packet Handshake(22)
|<5>| REC[0xb2d290000]: Received Packet Alert(21) with length: 2
|<10>| READ: Got 2 bytes from 0x5
|<10>| READ: read 2 bytes from 0x5
|<10>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<10>| RB: Requested 7 bytes
|<5>| REC[0xb2d290000]: Decrypted Packet[0] Alert(21) with length: 2
|<5>| REC[0xb2d290000]: Alert[2|80] - Internal error - was received
|<3>| ASSERT: record.c[record_add_to_buffers]:887
|<3>| ASSERT: record.c[record_add_to_buffers]:894
|<3>| ASSERT: record.c[_gnutls_recv_in_buffers]:1565
|<3>| ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1412
|<3>| ASSERT: handshake.c[_gnutls_recv_handshake]:1613
|<3>| ASSERT: handshake.c[handshake_client]:3104
|<13>| BUF[HSK]: Emptied buffer
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [80]: Internal error
|<3>| ASSERT: alert.c[gnutls_alert_send_appropriate]:382
2d. Workaround(s)
Not aware of any.
2e. Relevant links
Live domain that exhibits the issue: imusic.co
https://testtls.com/imusic.co/443 reports failure for requests w/o SNI:
3. Tutorial (minimal steps to reproduce the bug)
- Create a config with a public domain and
default_sni:
{
default_sni example.com
}
example.com {
root * /srv/path/public
encode
file_server
}
- Let Caddy obtain a SSL certificate for the domain
- Verify that normal TLS connections (with SNI) work:
gnutls-cli -p 443 example.com
...
- Handshake was completed
- Observe that TLS connections without SNI fail with a TLS fatal alert:
gnutls-cli --disable-sni -p 443 example.com
Processed 147 CA certificate(s).
Resolving 'example.com:443'...
Connecting to '1.2.3.4:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [80]: Internal error
Assistance Disclosure
AI not used