Project

General

Profile

Actions

Bug #16692

closed

net/http SNI not RFC 6066 compliant & wrong certificate hit

Added by aeris (Nicolas Vinot) over 4 years ago. Updated over 4 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:97513]

Description

Hi,

Currently, net/http set the SNI to the address you want to connect to.
https://github.com/ruby/ruby/blob/master/lib/net/http.rb#L1025-L1026

This is maybe a wrong assumption because you can want to connect to a specific IP address but requesting for a host specified via a HTTP Host header.

http            = Net::HTTP.new '127.0.0.1', 443 # Forcing IP address
http.use_ssl    = true
request         = Net::HTTP::Get.new '/'
request['Host'] = 'localhost'
response        = http.request request

Currently you hit the wrong certificate behavior because SNI is set to 127.0.0.1 instead of localhost as expected.

The current implementation is also not compliant with RFC 6066.

Literal IPv4 and IPv6 addresses are not permitted in "HostName".

I first thought to fix this behavior by settings SNI to Host header, but seems we don't have access to request context on this code part… :(

Updated by aeris (Nicolas Vinot) over 4 years ago

Seems [https://github.com/ruby/ruby/commit/54072e329cab7207fba133caba4fc12b45add8f9](this 2.7 patch) fix the problem.
Would be interesting to backport it to 2.6.

Updated by jeremyevans0 (Jeremy Evans) over 4 years ago

  • Status changed from Open to Closed

54072e329cab7207fba133caba4fc12b45add8f9 was added as a feature in Ruby 2.7, and we only backport bug fixes to released versions, not features. You will have to upgrade to Ruby 2.7 if you would like this to work, using the new :ipaddr option.

Updated by nagachika (Tomoyuki Chikanaga) over 4 years ago

  • Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN to 2.5: WONTFIX, 2.6: WONTFIX, 2.7: DONTNEED

As Jeremy mentioned, I have considered the changeset as a new features for [Feature #5180].
I will fill Backport field.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0