Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl: Handle ip-address as string correctly #7974

Closed

Conversation

dgud
Copy link
Contributor

@dgud dgud commented Dec 19, 2023

If the host was specified as string ip-address, server_name_indication didn't work.

Convert "ip-address" to tuple form in default hostname and also fallback to check ip if dns_id doesn't work, as was done for upgraded sockets previously.

Also while at it cleanup handling when hostname is undefined.

Fixes #7968

@dgud dgud self-assigned this Dec 19, 2023
Copy link
Contributor

github-actions bot commented Dec 19, 2023

CT Test Results

    2 files     66 suites   47m 55s ⏱️
  773 tests   740 ✅  33 💤 0 ❌
3 672 runs  2 928 ✅ 744 💤 0 ❌

Results for commit 2da9c1e.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@IngelaAndin IngelaAndin added the team:PS Assigned to OTP team PS label Dec 19, 2023
@dgud dgud force-pushed the dgud/ssl/ipaddress-as-string/GH-7968/OTP-18909 branch from d4b50f6 to 40607cd Compare December 20, 2023 09:21
@dgud dgud changed the base branch from master to maint December 20, 2023 09:48
@dgud dgud added the testing currently being tested, tag is used by OTP internal CI label Dec 20, 2023
@JeromeDeBretagne
Copy link
Contributor

@dgud @IngelaAndin shouldn't some type specs be updated also to describe this change?

@IngelaAndin
Copy link
Contributor

IngelaAndin commented Jan 2, 2024

Hostname already has the type string() which is wide enough to allow also "127.0.0.1" etc, this just a special handling of such strings that mostly was already possible. I guess the question is should we really use inet:hostname() instead of having ssl:hostname() ? This would allow the hostname also to be an atom. @dgud @u3s @RaimoNiskanen @bmk ?

@bmk
Copy link
Contributor

bmk commented Jan 2, 2024

Well:

inet:hostname() :: atom() | string()

ssl:hostname() :: string() | inet:ip_address()

So, not quite identical.

@JeromeDeBretagne
Copy link
Contributor

Hostname already has the type string() which is wide enough to allow also "127.0.0.1" etc, this just a special handling of such strings that mostly was already possible. I guess the question is should we really use inet:hostname() instead of having ssl:hostname() ? This would allow the hostname also to be an atom. @dgud @u3s @RaimoNiskanen @bmk ?

My point was that when looking at the specs currently :

otp/lib/ssl/src/ssl.erl

Lines 163 to 165 in 40607cd

-type host() :: hostname() | ip_address(). % exported
-type hostname() :: string().
-type ip_address() :: inet:ip_address().

it is not obvious (at all) that an IP address can be passed and accepted as a string since 1/ an IP address is not a hostname and 2/ the ip_address() type spec doesn't allow for a string. I got the impression that it was the point of your own comment here too: #7968 (comment)

If not the specs, maybe more a potentail documentation improvement?

@IngelaAndin
Copy link
Contributor

Well, maybe it is a documentation improvement that is needed, even though we ought to use inet:hostname() and behave the same as gen_tcp, it was surprising to me that "127.0.0.1" etc would be parsed and interpreted as an ip-address.

lib/ssl/src/ssl_handshake.erl Outdated Show resolved Hide resolved
@RaimoNiskanen
Copy link
Contributor

@IngelaAndin wrote:

... it was surprising to me that "127.0.0.1" etc would be parsed and interpreted as an ip-address.

This behaviour is implemented, known and sometimes documented for basic OS resolver API functions such as gethostbyname(3) since the dawn of Unix networking.

@dgud dgud force-pushed the dgud/ssl/ipaddress-as-string/GH-7968/OTP-18909 branch 3 times, most recently from 06a9ac1 to a4badaa Compare January 9, 2024 09:42
@dgud
Copy link
Contributor Author

dgud commented Jan 9, 2024

Allowed atom() as well, i.e. used inet:hostname() as type.

@dgud dgud closed this Jan 11, 2024
@dgud dgud force-pushed the dgud/ssl/ipaddress-as-string/GH-7968/OTP-18909 branch from 2da9c1e to d348bd7 Compare January 11, 2024 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
team:PS Assigned to OTP team PS testing currently being tested, tag is used by OTP internal CI
Projects
None yet
Development

Successfully merging this pull request may close these issues.

public_key:pkix_verify_hostname/N returns {:bad_cert, :hostname_check_failed} when connecting to IP addresses
6 participants