backport 1.13: http: fixing a bug with IPv6 hosts

[Shikugawa]

Fixing a bug where HTTP parser offsets for IPv6 hosts did not include [] and Envoy assumed it did.
This results in mis-parsing addresses for IPv6 CONNECT requests and IPv6 hosts in fully URLs over HTTP/1.1

Risk Level: low
Testing: new unit, integration tests
Docs Changes: n/a
Release Notes: inline

[antoniovicente]

It would be good to understand the test failures seen on both the 1.13 and 1.14 backports. The changes in this PR don't seem to be related to those failures.

[cpakulski]

I think that the test failures are related to expired certificates. That was the reason for failures on 1.15 branch. I am investigating it.

[antoniovicente]

I think that the test failures are related to expired certificates. That was the reason for failures on 1.15 branch. I am investigating it.

interesting. What was the fix on 1.15?

[cpakulski]

The fix was to re-run a script which generates new set of certs valid until 2022: test/config/integration/certs/certs.sh.

I think the same problem may exists in test/extensions/transport_socket/tls.

[antoniovicente]

The fix was to re-run a script which generates new set of certs valid until 2022: test/config/integration/certs/certs.sh.

I think the same problem may exists in test/extensions/transport_socket/tls.

I assume we should backport the certs generated to 1.14 and 1.13 also.

[cpakulski]

Correct. PRs for certs in releases 1.13 and 1.14 are ready: #14503 and #14505.

[alyssawilk]

Do you know what's up with CI here? I kicked off a second run and it failed too.

[cpakulski]

It fails in IpVersions/ProxyFilterIntegrationTest.UpstreamTlsWithIpHost/IPv4. I am checking why it happens.

[cpakulski]

@Shikugawa I figured out why the test fails. fake_upstream was converted to use loopback address. To fix it modify
makeTcpListenSocket method in test/integration/fake_upstream.cc around line 368
to look as this:

 static Network::SocketPtr makeTcpListenSocket(uint32_t port, Network::Address::IpVersion version) {
  return makeTcpListenSocket(
      Network::Utility::parseInternetAddress(Network::Test::getLoopbackAddressString(version), port));
}

[Shikugawa]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Check envoy-presubmit isn't fully completed, but will still attempt retrying.
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #14464 (comment) was created by @Shikugawa.

see: more, trace.

[Shikugawa]

@cpakulski I found that the creation of the new cert chain is not quite. So it will be caused some strange SSL_ERROR_SYSCALL. This error can be derived from system call related errors. But have the possibility to be derived from invalid creation strategy of cert. openssl/openssl#9566. It had resolved with rewriting test/config/integration/certs/upstreamcert.cfg

[alyssawilk]

I think I said on the last PR it'd be good to split out TLS changes. Can we do that here and elsewhere? Sorry/thanks!

[cpakulski]

Created #14594 to bring TLS changes and make fake_upstream to use localhost. @Shikugawa Once #14594 is merged to 1.13 you can bring it here.

[cpakulski]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #14464 (comment) was created by @cpakulski.

see: more, trace.