cURL incorrectly removes the trailing dot from HTTP Host headers

[AlexYst]

I did this

I ran "curl --insecure https://alice.sni.velox.ch./" on the command line

I expected the following

I expected cURL to send the following information:
SNI host name: alice.sni.velox.ch
HTTP Host header: alice.sni.velox.ch.

curl/libcurl version

7.38.0

[curl -V output perhaps?]
curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1k zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP

operating system

Debian 8

To quote a couple specifications:
https://tools.ietf.org/html/rfc6066#section-3 (SNI)
"HostName" contains the fully qualified DNS hostname of the server,
as understood by the client. The hostname is represented as a byte
string using ASCII encoding without a trailing dot.

https://tools.ietf.org/html/rfc7230#section-5.4 (HTTP)
A client MUST send a Host header field in all HTTP/1.1 request
messages. If the target URI includes an authority component, then a
client MUST send a field-value for Host that is identical to that
authority component, excluding any userinfo subcomponent and its "@"
delimiter (Section 2.7.1).

That means that the SNI host name and HTTP Host header do not always match. The SNI host name must never have a trailing dot, but the HTTP Host header must reflect a host name that is identical to the host name of the URI, so if the URI's host has a trailing dot, the HTTP Host header must include that trailing dot.

For example, if the URI of a page is https://alice.sni.velox.ch./, the following values should be sent by the Web browser:
SNI host: alice.sni.velox.ch
HTTP host: alice.sni.velox.ch.

However, while cURL properly strips the trailing dot off of the SNI host name as per RFC 6066, it also incorrectly strips the trailing dot off of the HTTP Host header.

[jay]

Ref https://savannah.gnu.org/bugs/index.php?47408

As I noted there none of the browsers strip off the trailing dot. Frankly I think it's better to strip it, I'd guess it provides better compatibility but really I don't have anything to back that up.

[bagder]

I disagree. I think it makes the most sense to treat SNI and Hosts: the same and that removing the dot is the sensible thing. But also, web servers such as Apache already strips that trailing dot themselves so sending the dot or not doesn't make a difference there.

As you already know but for newcomers, I took this issue to the HTTP WG mailing list earlier today, as I hope we can agree on a wider community on what the "correct" handling of this fields should be.

[bagder]

I've tested a bunch of sites to add a dot to the Host: name when not using the dot in the SNI field, and that causes breakages. Lots of sites simply show different content than without the dot (presumably because it no longer matches a known site so I get the default virtual host's content instead) and for all IIS hosted sites I've tested I get HTTP/1.1 400 Bad Request if the names differ.

[AlexYst]

Can you please give examples of such sites? When testing myself, I didn't find that error in any site that could handle a trailing dot in the HTTP Host header without TLS. Admittedly, I think IIS chokes on the trailing dot over HTTP or HTTPS. I've only seen the 400 error from Apache when sending a trailing dot in the SNI host name. NGINX doesn't even seem to care if the SNI host name is malformed.

[bagder]

I didn't test HTTP-only. I wanted to see how it works with HTTPS if we'd follow both RFCs as you say in your original post you think we should (strip dot + include dot). It is clear that doing so leads to 400 bad requests or wrong content in a large number of cases. I think that would be worse that what we're doing now.

The other alternative I think is to switch (back) to how the browsers work and include the dot in both cases. I'm not sure but I suspect that has a slightly higher failure rate. We should run some tests with that as well.

[bagder]

The list of sites returning a 400 on a nodot+dot combo included https://skandia.se, https://microsoft.se/ and https://sls.senecta.se/

[AlexYst]

It looks like all three of those websites return a 400 error over HTTP with a trailing dot on the domain as well. Those sites aren't choking on a "mismatch", they're choking on the trailing dot in the HTTP Host header, which is a bug on their end.

[bagder]

Bug or not, it means (some) IIS servers will do this on a trailing dot.

A popular site showing significantly different responses with the dot present or not in the Host: header:

$ curl -v https://www.yahoo.com -H "Host: www.yahoo.com" 

vs

$ curl -v https://www.yahoo.com -H "Host: www.yahoo.com." 

[AlexYst]

The Web server for that site doesn't have a response for that HTTP Host header. It's a bug in the server, in this case, but blaming cURL for that and striping of the trailing dot is like blaming cURL for the server sending a 404 error when you request https://example.com/not/an/existing/file.xhtml and trying to avoid requesting such pages. If the user isn't looking for the site that uses the trailing dot, they just won't put the trailing dot in the domain name of the URI that they ask cURL to request.

[bagder]

But can you show us a few sites that break when we remove the dot from the Host: header?

[AlexYst]

It's less common than sites that don't use "www.", that's for sure. I don't have any live examples at the moment.

My old website used to canonicalize URIs with redirects to the dotted version of the domain. That was back when I used HTTP instead of HTTPS though, and things seemed to break when I switched to HTTPS. I let people talk me into believing that the trailing dot is invalid in HTTPS URIs, so I removed the redirect. Now years later, when I can actually understand the specifications when I read them, I see that this wasn't an error in my URIs, but an error in most clients.

With that in mind, I'm reporting the bug in as many free software Web clients as I can test in, then going back to my preferred canonization as soon as I am self-hosted again.

In the case of stripping the trailing dot, this will cause a canonization redirect to become a redirect loop. As I'm following the specification to the letter, the bug isn't in my configuration, but in cURL's misinterpretation of such URIs. If you're comfortable with this misinterpretation, by all means, keep it. You should just be aware that that implementation does not follow the standards laid out in the RFCs. Anyone that doesn't want a trailing dot sent in the HTTP Host header won't be adding a trailing dot to domains in their URIs though, will they? Fixing this bug would allow cURL to follow the standards while remaining compatible with existing URIs.

[bagder]

The specs tell us how to behave. But when virtually nobody is following the specs, being the only one that holds the strict position and does a certain way will not benefit curl users and frankly it won't benefit the Internet at large either. Users will expect curl to behave mostly like the browsers work, in this aspect as well.

And the different behaviors in curl compared to the browsers is a concern and that's why we're discussing this on the http-wg list. The discussion on that list will then be used as feedback for me and us to make a decision on what curl should do with this matter in the future. Right now I maintain that following both specs (strip + nonstrip) seems to be the worst, web compat wise.

As basically nobody uses trailing dots on domain names in URLs anyway (possibly partly for this reason) this isn't a very big deal. And a users can in fact provide his/her own Host: header so curl can still be made to follow RFC7230 manually.