strip square brackets to parse ipv6 in setup_verify_hostname #2320
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have a use case where I need to use TLS (well, HTTPS), to speak to a server that doesn't have a proper hostname in CN, although it has a IPv6 address in Subject Alternative Name.
However IPv6, unlike IPv4 is often specified with square brackets, so libraries can differentiate between different segments of it and a port. Both are delimited with
:, so IPv6 in the authority part of a url can be used like[2a01:cc00:bbbb:aaaa:1864:842:abcd:5fd2]:443.I've had some difficulties making cert verification work and in the end I found this function calling
set_hostwith[2a01:cc00:bbbb:aaaa:1864:842:abcd:5fd2]because it couldn't parse the IP so it was assuming it must be a hostname.RFC3986 Uniform Resource Identifier (URI): Generic Syntax says:
It means
[and]aren't even valid hostname characters so existence of this strip might exist here.TBH it's hard to say which layer of typical library "stack" should be responsible for this. It seems like a grey area a bit to me. Perhaps could be handled by all libraries using rust-openssl, but sometimes this is buried deep down in code, or straight up not possible to be done by users of such libraries because limited APIs, so why not just have it here?