Matthew Graybosch — author of Without Bloodshed and Silent Clarion

Bitten by the SNI Bug

I recently learned that if you post a link that has a trailing dot like <matthewgraybosch.com.>, which can happen if you share a naked link like <matthewgraybosch.com> in a sentence and immediately follow with a period (to end the sentence), bad things happen.

For example…

None of this is fun, and I don't know of an easy fix. You see, if you're using HTTP to access a website, all it takes to remove a trailing dot is a mod_rewrite rule in your website's .htaccess file to specify a HTTP 301 redirect from <example.com.> to <example.com>.

Supposedly, the following is all you need.

RewriteBase /
RewriteCond %{HTTP_HOST} ^(.+?)\.$
RewriteRule ^ http://%1%{REQUEST_URI} [L,R=302,NE]

However, things get more complicated when you use HTTPS to access a website, because of the Server Name Identification (SNI) bug. (Props to Opal for digging this up and pointing out that naked URLs should be enclosed in angle brackets according to the MLA and APA style guides as well as §2.4.3 of RFC 2396.)

According to Alex Yst, "the SNI host name and HTTP Host header do not always match. The SNI host name must never have a trailing dot, but the HTTP Host header must reflect a host name that is identical to the host name of the URI, so if the URI's host has a trailing dot, the HTTP Host header must include that trailing dot."

Here's where things get complicated. You can't simply add a rewrite rule to your website's .htaccess file when accepting requests over HTTPS. When a browser uses HTTPS, they negotiate the SSL connection and deal with SNI before your HTTP server's rewrite rules ever enter into consideration.

And because of the SNI bug, paranoid browsers that try to protect their users by stopping them from accessing sites via HTTPS when they appear to be misconfigured or have invalid SSL certificates are sounding false alarms that I can't account for on the server side.

The only fix seems to be on the client side. If you click a link to a URL with a dot at the end, and your browser freaks out, try removing the dot at the end of the URL and pressing the "enter" key (or its equivalent for mobile users).

Yes, I know it's a pain in the ass, and I'm sorry. I already tried to fix it, but I don't know what else to do.

« more tech stuff «