It turns out that despite RFC 6066 stating
'Literal IPv4 and IPv6 addresses are not permitted in "HostName".'
for SNI the implementations of TLS in python and ruby do this.
While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget,
and others when acting as TLS clients all manage to get it right.
Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly
enforce this on the server side but httpd(8) does as libtls does.
import httplib
import ssl
ctx = ssl._create_unverified_context()
con = httplib.HTTPSConnection('127.0.0.1', 443, context=ctx)
con.request('GET', '/')
res = con.getresponse()
print(res.status)
gives
$ python2.7 test.py
Traceback (most recent call last):
File "test.py", line 7, in
con.request('GET', '/')
File "/usr/local/lib/python2.7/httplib.py", line 1042, in request
self._send_request(method, url, body, headers)
File "/usr/local/lib/python2.7/httplib.py", line 1082, in _send_request
self.endheaders(body)
File "/usr/local/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "/usr/local/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
File "/usr/local/lib/python2.7/httplib.py", line 844, in send
self.connect()
File "/usr/local/lib/python2.7/httplib.py", line 1263, in connect
server_hostname=server_hostname)
File "/usr/local/lib/python2.7/ssl.py", line 363, in wrap_socket
_context=self)
File "/usr/local/lib/python2.7/ssl.py", line 611, in __init__
self.do_handshake()
File "/usr/local/lib/python2.7/ssl.py", line 840, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error
(_ssl.c:661)
after patching the check out of libtls and restarting httpd
$ python2.7 test.py
200
Index: tls_server.c
===
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.37
diff -u -p -r1.37 tls_server.c
--- tls_server.c6 May 2017 20:59:28 - 1.37
+++ tls_server.c6 Jun 2017 11:27:44 -
@@ -74,7 +74,6 @@ tls_servername_cb(SSL *ssl, int *al, voi
{
struct tls *ctx = (struct tls *)arg;
struct tls_sni_ctx *sni_ctx;
- union tls_addr addrbuf;
struct tls *conn_ctx;
const char *name;
int match;
@@ -90,11 +89,6 @@ tls_servername_cb(SSL *ssl, int *al, voi
*/
return (SSL_TLSEXT_ERR_NOACK);
}
-
- /* Per RFC 6066 section 3: ensure that name is not an IP literal. */
- if (inet_pton(AF_INET, name, ) == 1 ||
-inet_pton(AF_INET6, name, ) == 1)
- goto err;
free((char *)conn_ctx->servername);
if ((conn_ctx->servername = strdup(name)) == NULL)