Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hostnames with trailing dot, testcases, fix for gnutls #13440

Closed
wants to merge 1 commit into from
Closed

hostnames with trailing dot, testcases, fix for gnutls #13440

wants to merge 1 commit into from

Conversation

icing
Copy link
Contributor

@icing icing commented Apr 22, 2024
edited

@icing
hostnames with trailing dot, testcases, fix for gnutls
821d7f7 
- add test_01_07 for successful verification with a trailing dot
- add test_01_08 for expected failure with double dot
- fix gnutls to use the normalized SNI name for checking when available
@github-actions github-actions bot added the tests label Apr 22, 2024
@icing icing mentioned this pull request Apr 22, 2024
Open
@bagder
Copy link
Member

bagder commented Apr 22, 2024

Back to the never-ending mess that is trailing dots. AFAIK, it should not use the SNI name to verify the host name in the certificates.

RFC 2818 section 3.1 says:

In general, HTTP/TLS requests are generated by dereferencing a URI.
As a consequence, the hostname for the server is known to the client.
If the hostname is available, the client MUST check it against the
server's identity as presented in the server's Certificate message,
in order to prevent man-in-the-middle attacks.

The hostname here has a trailing dot. The SNI name does not. Should the verification not get done with the hostname?

RFC 9525 section 6.1 is less specific but says:

The inputs used by the client to construct its list of reference identifiers might be a URI that a user has typed into an interface (e.g., an HTTPS URL for a website)

Again, that is the hostname. Not the SNI name.

But... clearly these TLS libraries fail to verify the name with the dot...

@icing
Copy link
Contributor Author

icing commented Apr 22, 2024

Yes, the mess with trailing dots in dns names. Not sure what is the best way forward.

We set peer->sni if it is a DNS name, do a strlower and remove one trailing dot if present. We have then two options

  1. always use peer->hostname and let verification fail if the TLS library does not handle a trailing dot.
  2. use our peer->sni to work around for these libraries.

I am not sure what is better. Please advise and I adapt the PR. At least we'll have test cases then.

@bagder
Copy link
Member

bagder commented Apr 22, 2024

I've asked GnuTLS to clarify the situation (they want the name provided without a trailing dot) in their docs: https://gitlab.com/gnutls/gnutls/-/issues/1548

@bagder
Copy link
Member

bagder commented Apr 22, 2024

A TLS server cannot make a difference between name and name. since the latter is not legal and thus it will always assume the name has no trailing dot. I think we can (under protest) agree to passing in the SNI name in the hostname field if that is what the TLS library insists we need to do.

@icing
Copy link
Contributor Author

icing commented Apr 22, 2024

I am closing this. I moved the test cases over to #13386 and reverted the gnutls workaround (for now).

@icing icing closed this Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
tests
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@icing @bagder