On Tue, Jun 06, 2017 at 09:51:53PM +1000, Jonathan Gray wrote:
> It turns out that despite RFC 6066 stating
> 'Literal IPv4 and IPv6 addresses are not permitted in "HostName".'
> for SNI the implementations of TLS in python and ruby do this.
>
> While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget,
> and others when acting as TLS clients all manage to get it right.
>
> Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly
> enforce this on the server side but httpd(8) does as libtls does.
Joel mentioned this would incorrectly match an ip literal and suggested
returning SSL_TLSEXT_ERR_NOACK instead of SSL_TLSEXT_ERR_ALERT_FATAL for
this case which is enough for python and ruby to work despite violating
the RFC.
Index: tls_server.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.39
diff -u -p -r1.39 tls_server.c
--- tls_server.c 22 Jun 2017 18:03:57 -0000 1.39
+++ tls_server.c 23 Jun 2017 07:25:09 -0000
@@ -94,7 +94,7 @@ tls_servername_cb(SSL *ssl, int *al, voi
/* Per RFC 6066 section 3: ensure that name is not an IP literal. */
if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
inet_pton(AF_INET6, name, &addrbuf) == 1)
- goto err;
+ return (SSL_TLSEXT_ERR_NOACK);
free((char *)conn_ctx->servername);
if ((conn_ctx->servername = strdup(name)) == NULL)
