Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not set SNI hostname if connecting to IP address #36

Merged
merged 1 commit into from
Feb 2, 2022
Merged

Do not set SNI hostname if connecting to IP address #36

merged 1 commit into from
Feb 2, 2022

Conversation

jeremyevans
Copy link
Contributor

RFC 6066, section 3, explicitly disallows the use of an IP address
as an SNI server name. So check if the connection is being made
to an IP address using the resolv regexps, and do not set an SNI
hostname in that case.

Note that this results in a warning in the tests, but that is due
to an issue in the openssl extension. A pull request has been
submitted to the openssl extension to remove that warning.

Revert the previous change that modified the regexp used for
checking the error message.

This not only fixes net/http tests, it also fixes tests for
webrick and open-uri when used with recent LibreSSL , which both make SSL connections to 127.0.0.1
in their tests.

@jeremyevans jeremyevans requested a review from nurse January 6, 2022 18:37
@jeremyevans
Copy link
Contributor Author

I've pushed a new version of this that doesn't cause any warnings, by unsetting verify_hostname if set and connecting to an IP address, but still keeping the post_connection_check to make sure the certificate provided matches the IP address. I plan to merge this in one week if there are no objections.

@jeremyevans
Do not set SNI hostname if connecting to IP address
50c2ac1 
RFC 6066, section 3, explicitly disallows the use of an IP address
as an SNI server name.  So check if the connection is being made
to an IP address using the resolv regexps, and do not set an SNI
hostname in that case.

Recent changes to LibreSSL make it more strictly follow RFC 6066,
resulting an s.hostname= raising an error if passed an IP address.
When such verions of LibreSSL are used, this change not only fixes
the net/http tests, it also fixes tests for webrick and open-uri,
which both make SSL connections to 127.0.0.1 using net/http in
their tests.

Avoid warning in the openssl extension by unsetting
@ssl_context.verify_hostname if connecting to an IP address.
Make changes so that the post_connection_check still happens
when connecting to an IP address, which is necessary to keep
checking that the certificate returned includes the IP address,
which one of the tests depends on.

Revert the previous change that modified the regexp used for
checking the error message.
@jeremyevans jeremyevans merged commit fa68e64 into ruby:master Feb 2, 2022
@arkadiyt arkadiyt mentioned this pull request Aug 31, 2022
Closed
@stanhu stanhu mentioned this pull request Jun 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nurse nurse Awaiting requested review from nurse

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jeremyevans