Revert "Explicitly disable server name indication" #13
Conversation
|
👍 LGTM |
|
i have a suspicion this failing test never worked as it's just skipped on native Mac but fails same way in my docker |
|
DO NOT MERGE until stuff is above 20.3.X |
|
@nalundgaard i'm going to rebase this and merge after verifying with S3/DDB and somme things other |
|
I can rebase it today. |
nalundgaard
force-pushed
the
revert-12-otp_20
branch
2 times, most recently
from
5eccacf
to
fc3774e
Compare
* Formatting fixes * Document pool size option * Note that it's compatible with OTP 21 * Note that it's not compatible with Erlangs < R16B03-1 * Add caution against using with OTP 20.1 (use 20.3+ instead)
nalundgaard
force-pushed
the
revert-12-otp_20
branch
from
fc3774e
to
787591d
Compare
|
@nalundgaard Could we not perform certificate CN/SAN validation without depending on SNI? Hackney does it, IIRC, by means of https://github.com/deadtrickster/ssl_verify_fun.erl . That's what we actually need for security. Whereas SNI is (AFAIK) a nearly useless feature, it's needed only in cases where there's a single IP/host that needs to present multiple server certificates, which (AFAIK) we don't use, so it's right to keep it disabled by default. |
|
@akontsevoy The current state is that it's categorically off no matter what (overrides any client setting), as a "quick and dirty" workaround for a bug where it was broken on the client side in Erlang 20.1 (fixed in 20.3). That in not desirable; the default behavior is preferred (use it automatically as appropriate, assuming the client implementation isn't broken). This HTTP client is used by a wide array of people, and AWS definitely does use SNI in some of their services, as far as I am aware. I prefer to leave this to the client to set as appropriate, and those that want to turn it off may find #19 helpful. What do you think? |
|
OK, if by default it's on (as in curl/OpenSSL), maybe we should leave the default in place and let the user disable it if they need instead of force-disabling it for them (and compromising security of the connection in the process by diabling CN/SAN validation). I don't understand why (according to OTP docs) disabling SNI also disables certificate name validation, but I guess that's not a decision for us to make. |
* Brings in erlcloud/lhttpc#13, which reinstates support for server name indication in lhttpc. This makes it incompatible with Erlang/OTP versions that have broken SNI support (namely, OTP 20.1). Clients on OTP 20.x should make sure they are on OTP 20.3.
Reverts #12.
It appears that the
server_name_indicationis not actually categorically added in OTP 20, it's only added when you connect to a Hostname that isn't an IP address. The wrinkle appears to be that Erlangs 20.0.x and 20.1.x didn't understand that string IPs, e.g.,"127.0.0.1"are not Hostnames, despite that the documentation that says this (in ssl docs):So we end up with stupid errors like
failed: {options,{{server_name_indication,"127.0.0.1"}}}.It looks to me like this was introduced in Erlang 20.0-rc2: erlang/otp/commit/e9b0dbb4, "ssl: Add hostname check of server certificate."
It appears that it was then fixed in Erlang OTP 20.2: erlang/otp/commit/78a9a09a, "Stop checking DNS name for SNI."
As @RaimoNiskanen said in the comment there (in bold below):
Diffuse indeed.