Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HSTS is allowed for IP addresses when it should not #7146

Closed
piru opened this issue May 28, 2021 · 1 comment
Closed

HSTS is allowed for IP addresses when it should not #7146

piru opened this issue May 28, 2021 · 1 comment

Comments

@piru
Copy link

piru commented May 28, 2021

I did this

server:

echo -e "HTTP/1.1 200 OK\nStrict-Transport-Security: max-age=31536000\nContent-length: 0\n" | socat STDIN OPENSSL-LISTEN:8443,certificate=cert.pem,reuseaddr,verify=0

client:

curl --insecure --hsts foo.hsts https://<ipaddress>:8443

Note: --insecure is used here to avoid need to set up PKI for the PoC, it doesn't change the outcome however.

afterwards foo.hsts:

# Your HSTS cache. https://curl.se/docs/hsts.html
# This file was generated by libcurl! Edit at your own risk.
<ipaddress> "20220528 21:22:30"

Also later the HSTS applies to the IP address, while it should not.

I expected the following

libcurl implementing https://datatracker.ietf.org/doc/html/rfc6797 design, specifically:

   4.  HSTS Hosts are identified only via domain names -- explicit IP
       address identification of all forms is excluded.  This is for
       simplification and also is in recognition of various issues with
       using direct IP address identification in concert with PKI-based
       security.

curl/libcurl version

curl 7.77.1-DEV (x86_64-pc-linux-gnu) libcurl/7.77.1-DEV OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.4.57
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM NTLM_WB PSL SSL TLS-SRP UnixSockets

operating system

Linux anonymized 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64 GNU/Linux

@bagder
Copy link
Member

bagder commented May 28, 2021

Nice catch!

bagder added a commit that referenced this issue May 29, 2021
Also, use a single function library-wide for detecting if a given hostname is
a numerical IP address.

Reported-by: Harry Sintonen
Fixes #7146
@bagder bagder closed this as completed in 1c1d9f1 May 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

2 participants