x/crypto/autocert: should trim trailing dots #18114
Comments
|
Thanks. Seems easy enough. /cc @x1ddos |
|
Sent https://go-review.googlesource.com/33711 ... reviews welcome! |
|
Yeah, sounds good. I'll create a change. Although, hard to imagine someone typing a url with a trailing dot... Out of curiosity, does it happen regularly in your case? Never happened to me or visitors of domains that I own. |
|
Ah, Brad already did. |
|
CL https://golang.org/cl/33711 mentions this issue. |
mikioh
changed the title
|
For the record, |
|
Oh, yeah? So which browser is sending it, @jeffallen, and why are we accepting it, @agl? |
|
When I hacked autocert to nuke the dot, what I saw is that the URL bar had a dot on the end, but I still had a green padlock even though the SNI had no dot on the end. Don't recall if it was ff or chrome. |
|
We shouldn't accept this. Too late for the current cycle, but this should do it in the future. |
|
CL https://golang.org/cl/33904 mentions this issue. |
SNI values may not include a trailing dot according to https://tools.ietf.org/html/rfc6066#section-3. Although crypto/tls handled this correctly as a client, it didn't reject this as a server. This change makes sending an SNI value with a trailing dot a fatal error. Updates #18114. Change-Id: Ib7897ab40e98d4a7a4646ff8469a55233621f631 Reviewed-on: https://go-review.googlesource.com/33904 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Browsers can send an SNI name of "example.com." for https://example.com./ but LetsEncrypt rejects the trailing dot. Fixes golang/go#18114 Change-Id: Ie38e355e5b5566a7eb18f77a2449660e22e21b4c Reviewed-on: https://go-review.googlesource.com/33711 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Browsers can send an SNI name of "example.com." for https://example.com./ but LetsEncrypt rejects the trailing dot. Fixes golang/go#18114 Change-Id: Ie38e355e5b5566a7eb18f77a2449660e22e21b4c Reviewed-on: https://go-review.googlesource.com/33711 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Browsers can send an SNI name of "example.com." for https://example.com./ but LetsEncrypt rejects the trailing dot. Fixes golang/go#18114 Change-Id: Ie38e355e5b5566a7eb18f77a2449660e22e21b4c Reviewed-on: https://go-review.googlesource.com/33711 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Browsers can send an SNI name of "example.com." for https://example.com./ but LetsEncrypt rejects the trailing dot. Fixes golang/go#18114 Change-Id: Ie38e355e5b5566a7eb18f77a2449660e22e21b4c Reviewed-on: https://go-review.googlesource.com/33711 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
What did you do?
When accessing a server that gets certificates using autocert via a url like https://server.domain.com./ (note the trailing dot) you get an error from the ACME server. See letsencrypt/boulder#2367 for why. They propose that clients should resolve this situation by removing the trailing dot in the certificate request.
Thus, autocert should trim trailing dots.
The text was updated successfully, but these errors were encountered: