Stop sending Host with SslStream if it's an IP address (#5547)

Fixes #5543
npgsql · Jan 25, 2024 · 7087812 · 7087812
1 parent 010878c
commit 7087812
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/src/Npgsql/Internal/NpgsqlConnector.cs b/src/Npgsql/Internal/NpgsqlConnector.cs
@@ -868,16 +868,28 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,
                 certificateValidationCallback = SslVerifyFullValidation;
             }
 
+            var host = Host;
+
+#if !NET8_0_OR_GREATER
+            // If the host is a valid IP address - replace it with an empty string
+            // We do that because .NET uses targetHost argument to send SNI to the server
+            // RFC explicitly prohibits sending an IP address so some servers might fail
+            // This was already fixed for .NET 8
+            // See #5543 for discussion
+            if (IPAddress.TryParse(host, out _))
+                host = string.Empty;
+#endif
+
             timeout.CheckAndApply(this);
 
             try
             {
                 var sslStream = new SslStream(_stream, leaveInnerStreamOpen: false, certificateValidationCallback);
 
                 if (async)
-                    await sslStream.AuthenticateAsClientAsync(Host, clientCertificates, SslProtocols.None, checkCertificateRevocation).ConfigureAwait(false);
+                    await sslStream.AuthenticateAsClientAsync(host, clientCertificates, SslProtocols.None, checkCertificateRevocation).ConfigureAwait(false);
                 else
-                    sslStream.AuthenticateAsClient(Host, clientCertificates, SslProtocols.None, checkCertificateRevocation);
+                    sslStream.AuthenticateAsClient(host, clientCertificates, SslProtocols.None, checkCertificateRevocation);
 
                 _stream = sslStream;
             }