Project

General

Profile

Bug #10613

SNI is not optional when using TLS

Added by edk750 (Eddy Kim) about 6 years ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
2.1
[ruby-core:66928]
Tags:

Description

If ruby is using openssl with TLS extensions, and we attempt to connect to a server which supports TLS, but not SNI, the connection fails.

e.g.:

uri = URI.parse("https://example.com") # a server that supports TLSv1 but not the TLS extensions
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = :TLSv1
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
response = http.get(url)
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello B: parse tlsext

If I patch the Net::HTTP#connect method to not assign the hostname to the socket (s), we can avoid this error.


Files

optional-sni.patch (1019 Bytes) optional-sni.patch patch to disable SNI edk750 (Eddy Kim), 12/17/2014 10:47 PM

Also available in: Atom PDF