-
Bug
-
Resolution: Fixed
-
P3
-
8
-
b112
-
generic
-
generic
-
Verified
Let's consider the following configuration:
1. There are two HTTPS sites at the same machine:
https_service_1.test.machine
https_service_2.test.machine
2. KDC contains records for both HTTPS services:
host/https_service_1.test.machine@TEST.REALM
host/https_service_2.test.machine@TEST.REALM
3. Client wants to request https_service_1.test.machine service, and it sends SNI host name 'https_service_1.test.machine' during handshaking.
But currently TGS-REQ from client to KDC contains 'host/machine.name@TEST.REALM' service name, so SNI host names are not taken into account.
I think there should be a way to set a service principal for TLS_KRB5 cipher suites. SNI host names could be used here.
1. There are two HTTPS sites at the same machine:
https_service_1.test.machine
https_service_2.test.machine
2. KDC contains records for both HTTPS services:
host/https_service_1.test.machine@TEST.REALM
host/https_service_2.test.machine@TEST.REALM
3. Client wants to request https_service_1.test.machine service, and it sends SNI host name 'https_service_1.test.machine' during handshaking.
But currently TGS-REQ from client to KDC contains 'host/machine.name@TEST.REALM' service name, so SNI host names are not taken into account.
I think there should be a way to set a service principal for TLS_KRB5 cipher suites. SNI host names could be used here.