Skip to content

Add certificate serial number (sn) to mDNS TXT record requirements #360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add certificate serial number (sn) to mDNS TXT record requirements #360

wants to merge 1 commit into from

Conversation

backkem
Copy link
Contributor

@backkem backkem commented Jun 1, 2025

This fixes a specification bug where the hostname formation requires the certificate serial number, but it was not being advertised in mDNS TXT records, making it impossible for clients to form the correct hostname for TLS SNI.

Resolves the discrepancy between hostname formation requirements and mDNS advertisement specifications.

@backkem backkem requested a review from markafoltz June 1, 2025 11:49
@backkem
Add certificate serial number (sn) to mDNS TXT record requirements
2400f71 
This fixes a specification bug where the hostname formation requires the
certificate serial number, but it was not being advertised in mDNS TXT
records, making it impossible for clients to form the correct hostname
for TLS SNI.

Resolves the discrepancy between hostname formation requirements and
mDNS advertisement specifications.
@baylesj baylesj self-requested a review September 25, 2025 23:52
baylesj
baylesj reviewed Sep 25, 2025
View reviewed changes
network.bs
`[A-Za-z0-9+/]`.

: sn
:: The [=certificate serial number=] of the advertising agent, encoded as a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the agent fingerprint insufficent for computing the agent hostname? I also don't see any other reference to TLS SNI in this file, and it's not entirely clear to me why we even need Server Name Indication for this protocol. Can you please provide some additional context?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Been a while, from what I remember:

The serial number was introduced to solve #276. It is used as part of the subject name on the certificate. To keep connection logic as common as possible, I was also checking the subject name against the host being dialed. For the first-time dial I guess this could be seen as a bit if useless ceremony. For re-establishing a connection with a known (previous authenticated) certificate this does seems useful.
Regarding SNI: In a real browser setting I can imagine that you may want to use different connections per origin at some point (to ensure appropriate segregation). A different hostname is one way to represent that at the network level. SNI would allow doing this on one port. Also, it again keeps the use of TLS close to what is commonly done (which I think is an advantage because you can more easily use existing implementations).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markafoltz markafoltz Awaiting requested review from markafoltz

1 more reviewer

@baylesj baylesj baylesj left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@backkem @baylesj