Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls, net/http: HTTPS + IPv6 literal == bogus SNI #14404

Closed
willmo opened this issue Feb 19, 2016 · 1 comment

Comments

Projects
None yet
3 participants
@willmo
Copy link

commented Feb 19, 2016

Following up #13111, in Go 1.6 the SNI is still incorrectly sent when using IPv6 literals with HTTPS. HTTP encloses IPv6 literals in square brackets, but when tls prepares to send the SNI it uses net.ParseIP to check for address literals, and that doesn't know about square brackets. Hence the bracket-enclosed literal ends up being sent as the SNI.

I'm not sure if tls should handle square brackets (like x509.Certificate.VerifyHostname does), or if http should strip the brackets before setting ServerName (i.e. in tlsHost()), or what.

@mikioh mikioh added this to the Go1.7 milestone Feb 19, 2016

@willmo willmo changed the title crypto/tls (or net/http?): HTTPS + IPv6 literal == bogus SNI crypto/tls, net/http: HTTPS + IPv6 literal == bogus SNI Feb 19, 2016

@gopherbot

This comment has been minimized.

Copy link

commented Feb 19, 2016

CL https://golang.org/cl/19704 mentions this issue.

@gopherbot gopherbot closed this in f3f920f Feb 27, 2016

@golang golang locked and limited conversation to collaborators Feb 28, 2017

FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018

Mikio Hara
crypto/tls: don't send IPv6 literals and absolute FQDNs as SNI values
This is a followup change to golang#13111 for filtering out IPv6 literals and
absolute FQDNs from being as the SNI values.

Updates golang#13111.
Fixes golang#14404.

Change-Id: I09ab8d2a9153d9a92147e57ca141f2e97ddcef6e
Reviewed-on: https://go-review.googlesource.com/19704
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018

Mikio Hara
crypto/tls: don't send IPv6 literals and absolute FQDNs as SNI values
This is a followup change to golang#13111 for filtering out IPv6 literals and
absolute FQDNs from being as the SNI values.

Updates golang#13111.
Fixes golang#14404.

Change-Id: I09ab8d2a9153d9a92147e57ca141f2e97ddcef6e
Reviewed-on: https://go-review.googlesource.com/19704
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.