-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate IDN mapping rules when parsing/writing server name #25668
Comments
@krwq for the second, can you verify it manually / using other tools? |
The first one sounds like a bug. Can you post a code snippet showing what you mean / what you observed? |
@karelz - current version of the server works correctly with this bug because of the fallback I put in the code (see DecodeString in SniHelper). If you remove it one of the tests in SslStreamSniTest will start failing on Windows (the one with special characters) - see test data for this test: I believe client should doing IDN mapping but I'm currently not 100% sure this is a bug as I haven't seen the confirmation in the spec. Spec needs to be reread and checked for the words like "must". |
Which test fails exactly? On SocketsHttpHandler or on PlatformHandler? |
@karelz this is a new test I'm adding in my PR (round-tripping hostName): I haven't seen any existing tests checking for that but also there was no good way to test it without both side support. |
@karelz I've edited the original issue to make it clearer |
@karelz, ok to move it to 2.1 with Post ZBB label? |
Also, issues created after 3/28 automatically don't count against ZBB, so no worries. 2.1 goal: Assess impact from customer point of view - if usage of |
@karelz I've tested multiple scenarios and HttpClient seems to work correctly (does IDN mapping higher up the stack). I've tested behaviors on .NET Core, full .NET and also compared data send by the browser. Only people using SslStream directly are affected by this issue. Moving to future. |
SslStream Windows implementation does not map special characters when sending host name in the client hello extension and sends utf-8 characters instead.
Note: This does not affect HttpClient scenario which does IDN mapping higher up the stack, only SslStream scenario is affected.
SSL protocol recommends that host name should be send by a client. Host name should be send using one of the client hello extensions. Recommended data flow is following:
Current windows Implementation seems to be skipping IDN mapping and does following instead:
Recently merged server logic implementation (dotnet/corefx#28278) does following to mitigate the problem:
To sum up:
Related test case (passes with the fallback):
https://github.com/dotnet/corefx/pull/28278/files#diff-dbaea2525913714cf555096c8af14a03R21
with following test data:
https://github.com/dotnet/corefx/pull/28278/files#diff-dbaea2525913714cf555096c8af14a03R132
On the OpenSSL side we do the conversion explicitly:
https://github.com/dotnet/corefx/blob/c533892f2e57940ec9e66616288bf340b75a9217/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs#L129
while on Windows we seem to be passing directly:
https://github.com/dotnet/corefx/blob/c533892f2e57940ec9e66616288bf340b75a9217/src/Common/src/Interop/Windows/sspicli/SecuritySafeHandles.cs#L595
2.0.0 code also does the same thing: https://github.com/dotnet/corefx/blob/release/2.0.0/src/Common/src/Interop/Windows/sspicli/SecuritySafeHandles.cs#L596
Windows documentation doesn't seem to be specifying if it does the conversion for you or not (https://msdn.microsoft.com/en-us/library/windows/desktop/aa375924(v=vs.85).aspx):
The text was updated successfully, but these errors were encountered: