-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpClient sends invalid extension during TLS Client Hello causing failed connection to server #49183
Comments
Just to preemptively answer a question posed in the original flutter issues
This is actually not the case. It is only this extension causing the issue (I created a python script to replay this exact packet to my server dynamically. All the other fields are valid except this one, and prevents the connection), plus rustls supports 1.2 up. I also was able to confirm this by using the following curl command. This is also reinforced by my workaround: by adding a subdomain A record to my personal servers DNS records to point 10.0.0.224. Using this work around, it then works correctly. |
Right now we call SSL_set_tlsext_host_name with a hostname that ultimately comes from
|
I'm closing this issue because certificate checks should succeed when the hostname is an IP address in Dart 3.1 |
I think this should be reopened or deserves a new issue. #52118 fixes the call to The This is not just of theoretical nature. I'm affected by this issue when trying to use TLS with an IP address. Here's what happens when I send a HTTP request using TLS with the host being an IP address (192.1678.178.182):
Should I open a new issue? |
the issue remains, but we need to solve it on client side: dart-lang/sdk#49183 (comment)
I originally wrote this issue on the flutter issue tracker because I did not know where to put it. I do believe this is here, so I will just copy it over here; flutter/flutter#105381.
Steps to Reproduce
dart run example.dart
on the code sampleExpected results:
Request successfully goes through
Actual results:
Error fails with error
Code sample
Logs
Currently, my server is using axum-server with rustls in order to create a backend for my application. In doing so, I only have an ip to connect with. However, using wireshark we can decode the TLSv1.2 Client Hello packet that the flutter application is sending.
Specifically what we see here is that the HttpClient is sending a server_name extension. While this traditionally would serve to increase security, the way it is represented with the uri is a bug. 10.0.0.224 is clearly not a hostname, but instead an ip. Furthermore, according to the ietf rfc, an ip is a distinct thing from a hostname and "Literal IPv4 and IPv6 addresses are not permitted in 'HostName'". As a result, when the server goes to decode the host name, it fails to get a DnsNameRef. If we replay this packet with only the hostname changed to the hex of a string, such as 'google.com', then the connection succeeds.
EDIT: Changed quote from RFC to more proper RFC as well as simplifying code. Thanks @simolus3!
The text was updated successfully, but these errors were encountered: