Connecting to FQDN peers with SNI is broken

[felixbrucker]

Currently when a FQDN is used to connect to a peer which requires SNI to correctly route the request to the host, no connection can be established. This is due to chia itself resolving the host and using the resulting ip to connect to it, breaking SNI.

[wjblanke]

3.9 aiohttp supports SNI so maybe it can be added

aio-libs/aiohttp#7543

What feature are you trying to implement exactly felix?

[felixbrucker]

I wanted to connect to a full node behind cloudflare, but it would be the same for users trying to connect to one behind nginx, given that they host multiple servers on the same port, for example 443. This however is currently broken and does not work, as the correct endpoint to connect to can not be mapped as that info is missing (bc it connects to the resolved ip instead of connecting to the hostname in the config, and letting the library handle resolving and properly connecting to it).

[felixbrucker]

I did some testing, i think there are two approaches to solve this:

• the normal way: pass in the host to ws_connect, for example: ws_connect("wss://some-fqdn.com/ws") instead of ws_connect("wss://1.2.3.4/ws"). In this case aiohttp already handles everything correctly and a connection can be established.
• the ugly way: continue to pass in the resolved ip as url, but also pass through the server_name argument and Host header set to the fqdn, for example:

ws_connect(
  "wss://1.2.3.4/ws",
  server_hostname=unresolved_peer_info.host,
  headers={
    "Host": unresolved_peer_info.host,
  },
)

Currently aiohttp can not set the server_hostname for ws_connect, see aio-libs/aiohttp#7942 (has been on main for 6 months)

[wjblanke]

Is this just farmers trying to connect to a node or do you want node-node traffic working like this?

[felixbrucker]

I'd love to see it work for both, but primary is farmer to node

[wjblanke]

Looks like we need a new release of main aiohttp as well

[wjblanke]

we can probably get farmer to node working

[felixbrucker]

for the ugly way, yes

i'd much prefer the correct way

[wjblanke]

node - node gossip may be an issue. i think it only supports ip. the bigger issue is the current strategy for nodes is to resolve as early as possible, so this is opposite of that.

[felixbrucker]

Yeah resolving happens in chia-blockchain before connecting and it makes sense for network based configs, like determining if a peer is trusted/whitelisted etc, but i'm not sure for which other reasons this might happen, or is needed even.

[wjblanke]

In the interim would running a proxy work to map the IP connections to a domain name? Its kludgy but should work

[felixbrucker]

Nope, because if you map ip to domain in a proxy you could just host on the ip itself in the first place, which is not desired and possible in my case.

[jack60612]

it is in our backlog as i mentioned in discord, not sure if this is an especially priority issue however.