Re: remove hostname not IP addr test in libtls tls_servername_cb()

2017-06-23 Thread Jonathan Gray 
On Tue, Jun 06, 2017 at 09:51:53PM +1000, Jonathan Gray wrote:
> It turns out that despite RFC 6066 stating
> 'Literal IPv4 and IPv6 addresses are not permitted in "HostName".'
> for SNI the implementations of TLS in python and ruby do this.
> 
> While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget,
> and others when acting as TLS clients all manage to get it right.
> 
> Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly
> enforce this on the server side but httpd(8) does as libtls does.

Joel mentioned this would incorrectly match an ip literal and suggested
returning SSL_TLSEXT_ERR_NOACK instead of SSL_TLSEXT_ERR_ALERT_FATAL for
this case which is enough for python and ruby to work despite violating
the RFC.

Index: tls_server.c
===
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.39
diff -u -p -r1.39 tls_server.c
--- tls_server.c22 Jun 2017 18:03:57 -  1.39
+++ tls_server.c23 Jun 2017 07:25:09 -
@@ -94,7 +94,7 @@ tls_servername_cb(SSL *ssl, int *al, voi
/* Per RFC 6066 section 3: ensure that name is not an IP literal. */
if (inet_pton(AF_INET, name, ) == 1 ||
 inet_pton(AF_INET6, name, ) == 1)
-   goto err;
+   return (SSL_TLSEXT_ERR_NOACK);
 
free((char *)conn_ctx->servername);
if ((conn_ctx->servername = strdup(name)) == NULL)

Re: remove hostname not IP addr test in libtls tls_servername_cb()

2017-06-11 Thread Anders Berggren 
> On 6 Jun 2017, at 12:51, Jonathan Gray  wrote:
> While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget,
> and others when acting as TLS clients all manage to get it right.
> 
> Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly
> enforce this on the server side but httpd(8) does as libtls does.

This fixes TLS in httpd(8) on Safari for me.

remove hostname not IP addr test in libtls tls_servername_cb()

2017-06-06 Thread Jonathan Gray 
It turns out that despite RFC 6066 stating
'Literal IPv4 and IPv6 addresses are not permitted in "HostName".'
for SNI the implementations of TLS in python and ruby do this.

While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget,
and others when acting as TLS clients all manage to get it right.

Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly
enforce this on the server side but httpd(8) does as libtls does.

import httplib
import ssl

ctx = ssl._create_unverified_context()
con = httplib.HTTPSConnection('127.0.0.1', 443, context=ctx)

con.request('GET', '/')
res = con.getresponse()
print(res.status)

gives

$ python2.7 test.py
Traceback (most recent call last):
  File "test.py", line 7, in 
con.request('GET', '/')
  File "/usr/local/lib/python2.7/httplib.py", line 1042, in request
self._send_request(method, url, body, headers)
  File "/usr/local/lib/python2.7/httplib.py", line 1082, in _send_request
self.endheaders(body)
  File "/usr/local/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
  File "/usr/local/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
  File "/usr/local/lib/python2.7/httplib.py", line 844, in send
self.connect()
  File "/usr/local/lib/python2.7/httplib.py", line 1263, in connect
server_hostname=server_hostname)
  File "/usr/local/lib/python2.7/ssl.py", line 363, in wrap_socket
_context=self)
  File "/usr/local/lib/python2.7/ssl.py", line 611, in __init__
self.do_handshake()
  File "/usr/local/lib/python2.7/ssl.py", line 840, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error 
(_ssl.c:661)

after patching the check out of libtls and restarting httpd

$ python2.7 test.py
200

Index: tls_server.c
===
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.37
diff -u -p -r1.37 tls_server.c
--- tls_server.c6 May 2017 20:59:28 -   1.37
+++ tls_server.c6 Jun 2017 11:27:44 -
@@ -74,7 +74,6 @@ tls_servername_cb(SSL *ssl, int *al, voi
 {
struct tls *ctx = (struct tls *)arg;
struct tls_sni_ctx *sni_ctx;
-   union tls_addr addrbuf;
struct tls *conn_ctx;
const char *name;
int match;
@@ -90,11 +89,6 @@ tls_servername_cb(SSL *ssl, int *al, voi
 */
return (SSL_TLSEXT_ERR_NOACK);
}
-
-   /* Per RFC 6066 section 3: ensure that name is not an IP literal. */
-   if (inet_pton(AF_INET, name, ) == 1 ||
-inet_pton(AF_INET6, name, ) == 1)
-   goto err;
 
free((char *)conn_ctx->servername);
if ((conn_ctx->servername = strdup(name)) == NULL)