Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hostnames with trailing dot, testcases, fix for gnutls #13440

Closed
wants to merge 1 commit into from
Closed

hostnames with trailing dot, testcases, fix for gnutls #13440

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 7 additions & 3 deletions lib/vtls/gtls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -962,6 +962,9 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
gnutls_protocol_t version = gnutls_protocol_get_version(session);
#endif
long * const certverifyresult = &ssl_config->certverifyresult;
/* if we have use SNI, verify the certificate with that. If not, e.g.
* the hostname is an IP address, use the hostname */
const char *verify_name = peer->sni? peer->sni : peer->hostname;

#ifndef CURL_DISABLE_VERBOSE_STRINGS
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
Expand Down Expand Up @@ -1199,7 +1202,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
in RFC2818 (HTTPS), which takes into account wildcards, and the subject
alternative name PKIX extension. Returns non zero on success, and zero on
failure. */
rc = gnutls_x509_crt_check_hostname(x509_cert, peer->hostname);
rc = gnutls_x509_crt_check_hostname(x509_cert, verify_name);
DEBUGF(infof(data, "glts check hostname '%s' -> %d", verify_name, rc));
#if GNUTLS_VERSION_NUMBER < 0x030306
/* Before 3.3.6, gnutls_x509_crt_check_hostname() didn't check IP
addresses. */
Expand All @@ -1212,10 +1216,10 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
unsigned char addrbuf[sizeof(struct use_addr)];
size_t addrlen = 0;

if(Curl_inet_pton(AF_INET, peer->hostname, addrbuf) > 0)
if(Curl_inet_pton(AF_INET, verify_name, addrbuf) > 0)
addrlen = 4;
#ifdef USE_IPV6
else if(Curl_inet_pton(AF_INET6, peer->hostname, addrbuf) > 0)
else if(Curl_inet_pton(AF_INET6, verify_name, addrbuf) > 0)
addrlen = 16;
#endif

Expand Down
24 changes: 24 additions & 0 deletions tests/http/test_01_basic.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,27 @@ def test_01_06_timings(self, env: Env, httpd, nghttpx, repeat, proto):
r.check_stats(http_status=200, count=1)
assert r.stats[0]['time_connect'] > 0, f'{r.stats[0]}'
assert r.stats[0]['time_appconnect'] > 0, f'{r.stats[0]}'

# use host name with trailing dot, verify handshake
@pytest.mark.skipif(condition=not Env.have_ssl_curl(), reason=f"curl without SSL")
@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
def test_01_07_trailing_dot(self, env: Env, httpd, nghttpx, repeat, proto):
if proto == 'h3' and not env.have_h3():
pytest.skip("h3 not supported")
curl = CurlClient(env=env)
domain = f'{env.domain1}.'
url = f'https://{env.authority_for(domain, proto)}/data.json'
r = curl.http_download(urls=[url], alpn_proto=proto, with_stats=True)
r.check_stats(http_status=200, count=1)

# use host name with double trailing dot, verify handshake
@pytest.mark.skipif(condition=not Env.have_ssl_curl(), reason=f"curl without SSL")
@pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
def test_01_08_double_dot(self, env: Env, httpd, nghttpx, repeat, proto):
if proto == 'h3' and not env.have_h3():
pytest.skip("h3 not supported")
curl = CurlClient(env=env)
domain = f'{env.domain1}..'
url = f'https://{env.authority_for(domain, proto)}/data.json'
r = curl.http_download(urls=[url], alpn_proto=proto, with_stats=True)
r.check_stats(exitcode=60, count=1)