Actions
Bug #16692
closednet/http SNI not RFC 6066 compliant & wrong certificate hit
Description
Hi,
Currently, net/http set the SNI to the address you want to connect to.
https://github.com/ruby/ruby/blob/master/lib/net/http.rb#L1025-L1026
This is maybe a wrong assumption because you can want to connect to a specific IP address but requesting for a host specified via a HTTP Host
header.
http = Net::HTTP.new '127.0.0.1', 443 # Forcing IP address
http.use_ssl = true
request = Net::HTTP::Get.new '/'
request['Host'] = 'localhost'
response = http.request request
Currently you hit the wrong certificate behavior because SNI is set to 127.0.0.1
instead of localhost
as expected.
The current implementation is also not compliant with RFC 6066.
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
I first thought to fix this behavior by settings SNI to Host
header, but seems we don't have access to request context on this code part… :(
Actions
Like0
Like0Like0Like0