Ruby Issue Tracking System: Issueshttps://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112020-03-15T23:04:17ZRuby Issue Tracking System
Redmine Ruby master - Bug #16692 (Closed): net/http SNI not RFC 6066 compliant & wrong certificate hithttps://bugs.ruby-lang.org/issues/166922020-03-15T23:04:17Zaeris (Nicolas Vinot)
<p>Hi,</p>
<p>Currently, net/http set the SNI to the address you want to connect to.<br>
<a href="https://github.com/ruby/ruby/blob/master/lib/net/http.rb#L1025-L1026" class="external">https://github.com/ruby/ruby/blob/master/lib/net/http.rb#L1025-L1026</a></p>
<p>This is maybe a wrong assumption because you can want to connect to a specific IP address but requesting for a host specified via a HTTP <code>Host</code> header.</p>
<pre><code class="ruby syntaxhl" data-language="ruby"><span class="n">http</span> <span class="o">=</span> <span class="no">Net</span><span class="o">::</span><span class="no">HTTP</span><span class="p">.</span><span class="nf">new</span> <span class="s1">'127.0.0.1'</span><span class="p">,</span> <span class="mi">443</span> <span class="c1"># Forcing IP address</span>
<span class="n">http</span><span class="p">.</span><span class="nf">use_ssl</span> <span class="o">=</span> <span class="kp">true</span>
<span class="n">request</span> <span class="o">=</span> <span class="no">Net</span><span class="o">::</span><span class="no">HTTP</span><span class="o">::</span><span class="no">Get</span><span class="p">.</span><span class="nf">new</span> <span class="s1">'/'</span>
<span class="n">request</span><span class="p">[</span><span class="s1">'Host'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'localhost'</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="nf">request</span> <span class="n">request</span>
</code></pre>
<p>Currently you hit the wrong certificate behavior because SNI is set to <code>127.0.0.1</code> instead of <code>localhost</code> as expected.</p>
<p>The current implementation is also not compliant with <a href="https://tools.ietf.org/html/rfc6066#page-6" class="external">RFC 6066</a>.</p>
<pre><code>Literal IPv4 and IPv6 addresses are not permitted in "HostName".
</code></pre>
<p>I first thought to fix this behavior by settings SNI to <code>Host</code> header, but seems we don't have access to request context on this code part… :(</p> Ruby master - Bug #14848 (Rejected): Net/HTTP doesn't take verify_callback into account when Open...https://bugs.ruby-lang.org/issues/148482018-06-15T10:02:55Zaeris (Nicolas Vinot)
<p>Hi,</p>
<p>In (at least) net/http, the TLS connection is OK even if <code>verify_callback</code> return <code>false</code> if <code>verify_mode</code> is set to <code>OpenSSL::SSL::VERIFY_NONE</code>.<br>
The callback is really called, but the TLS handshake is not stopped.</p>
<p>Use case: self-signed certificate (so imply <code>VERIFY_NONE</code>) but direct key pinning for trust (implying <code>verify_callback</code>).</p>
<p>Enclosed to this ticket, a example to reproduce the trouble.<br>
For me, because of <code>verify_callback</code> returning <code>false</code> in all case, none of the connection must succeed.</p> Ruby master - Feature #14067 (Third Party's Issue): TLS fallback SCSV (RFC 7507)https://bugs.ruby-lang.org/issues/140672017-10-29T14:29:43Zaeris (Nicolas Vinot)
<p>Hi here,</p>
<p>Here is a patch to support TLSÂ fallback SCSV <a href="https://tools.ietf.org/html/rfc7507" class="external">RFC 7507</a>.<br>
<a href="https://github.com/ruby/ruby/pull/1733" class="external">https://github.com/ruby/ruby/pull/1733</a></p>
<p>Regards</p> Ruby master - Feature #14066 (Closed): Add CAA DNS RR on Resolvhttps://bugs.ruby-lang.org/issues/140662017-10-29T13:21:58Zaeris (Nicolas Vinot)
<p>Hi here,</p>
<p>Here is a small PR to add CAA DNS RR on Revolv<br>
<a href="https://github.com/ruby/ruby/pull/1732" class="external">https://github.com/ruby/ruby/pull/1732</a></p>
<p>Regards,</p>