remove hostname not IP addr test in libtls tls_servername_cb()

Tue, 06 Jun 2017 04:52:33 -0700 

It turns out that despite RFC 6066 stating
'Literal IPv4 and IPv6 addresses are not permitted in "HostName".'
for SNI the implementations of TLS in python and ruby do this.

While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget,
and others when acting as TLS clients all manage to get it right.

Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly
enforce this on the server side but httpd(8) does as libtls does.

import httplib
import ssl

ctx = ssl._create_unverified_context()
con = httplib.HTTPSConnection('127.0.0.1', 443, context=ctx)

con.request('GET', '/')
res = con.getresponse()
print(res.status)

gives

$ python2.7 test.py
Traceback (most recent call last):
  File "test.py", line 7, in <module>
    con.request('GET', '/')
  File "/usr/local/lib/python2.7/httplib.py", line 1042, in request
    self._send_request(method, url, body, headers)
  File "/usr/local/lib/python2.7/httplib.py", line 1082, in _send_request
    self.endheaders(body)
  File "/usr/local/lib/python2.7/httplib.py", line 1038, in endheaders
    self._send_output(message_body)
  File "/usr/local/lib/python2.7/httplib.py", line 882, in _send_output
    self.send(msg)
  File "/usr/local/lib/python2.7/httplib.py", line 844, in send
    self.connect()
  File "/usr/local/lib/python2.7/httplib.py", line 1263, in connect
    server_hostname=server_hostname)
  File "/usr/local/lib/python2.7/ssl.py", line 363, in wrap_socket
    _context=self)
  File "/usr/local/lib/python2.7/ssl.py", line 611, in __init__
    self.do_handshake()
  File "/usr/local/lib/python2.7/ssl.py", line 840, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error 
(_ssl.c:661)

after patching the check out of libtls and restarting httpd

$ python2.7 test.py
200

Index: tls_server.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.37
diff -u -p -r1.37 tls_server.c
--- tls_server.c        6 May 2017 20:59:28 -0000       1.37
+++ tls_server.c        6 Jun 2017 11:27:44 -0000
@@ -74,7 +74,6 @@ tls_servername_cb(SSL *ssl, int *al, voi
 {
        struct tls *ctx = (struct tls *)arg;
        struct tls_sni_ctx *sni_ctx;
-       union tls_addr addrbuf;
        struct tls *conn_ctx;
        const char *name;
        int match;
@@ -90,11 +89,6 @@ tls_servername_cb(SSL *ssl, int *al, voi
                 */
                return (SSL_TLSEXT_ERR_NOACK);
        }
-
-       /* Per RFC 6066 section 3: ensure that name is not an IP literal. */
-       if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
-            inet_pton(AF_INET6, name, &addrbuf) == 1)
-               goto err;
 
        free((char *)conn_ctx->servername);
        if ((conn_ctx->servername = strdup(name)) == NULL)

Reply via email to