| msg307333 - (view) |
Author: Matt Davis (nitzmahone) * |
Date: 2017-11-30 18:05 |
| The current implementation of SSLContext.wrap_socket blindly sends whatever is passed in server_hostname in the SNI extension, assuming it's a DNS hostname. RFC6066 describes the SNI TLS extension, and specifically states that 'Literal IPv4 and IPv6 addresses are not permitted in "HostName".' The RFC makes no recommendation on how a server implementation that violates this requirement should behave; Microsoft's kernel HTTP listener (http.sys) chooses to abort the connection if SNI has been enabled. In the http.sys case, SNI is a global setting, currently off by default, but if any registered listener has SNI enabled, the connection abort behavior applies to all listeners. SSLContext.wrap_socket() should determine whether server_hostname is an IP address before including the SNI extension. I've submitted a PR to work around this issue in urllib3 (https://github.com/shazow/urllib3/pull/1287) in the meantime, but would be good to get this fixed, especially if Microsoft decides to enable SNI by default at some point. |
|
|
| msg307334 - (view) |
Author: Christian Heimes (christian.heimes) *  |
Date: 2017-11-30 18:10 |
| Thanks! 3.4 and 3.5 are out of scope. They only receive security fixes. For 3.7 https://github.com/python/cpython/compare/master...tiran:openssl_check_hostname will take care of the issue 2.7 and 3.6 are a bit tricky. There is no platform-compatible way to detect if a string is an IP address. inet_pton() is not available on Windows. I cannot use the OpenSSL parser because it is only available in 1.0.2+. 2.7 and 3.6 still support 0.9.8. |
|
|
| msg308712 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2017-12-20 10:04 |
| > There is no platform-compatible way to detect if a string is an IP address. Actually, you could use the ipaddress module. |
|
|
| msg308713 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2017-12-20 10:14 |
| By the way, Windows nowadays has inet_pton(): https://msdn.microsoft.com/en-us/library/windows/desktop/cc805844(v=vs.85).aspx Are there other platforms without it? inet_pton() is part of POSIX. |
|
|
| msg308715 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-12-20 10:33 |
| The code works on all platforms with OpenSSL >= 1.0.2. OpenSSL 1.0.1, 0.9.8 and earlier are no longer supported by upstream. Anybody with even marginal interest in secure TLS/SSL should update. Python.org's Windows and macOS binaries are good. The inet_pton() code in my patch is for those poor souls that are stuck with RHEL 6, CentOS 6, or Ubuntu 14.04. RHEL 7, CentOS 7, and Ubuntu 16.04 have OpenSSL 1.0.2. The IP address module is slow and hard to use from C code. |
|
|
| msg308716 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2017-12-20 10:34 |
| PS: With OpenSSL >= 1.0.2, inet_pton() is not required. |
|
|
| msg312782 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2018-02-25 08:47 |
| New changeset e9370a47389903bb72badc95032ec84a0ebbf8cc by Christian Heimes in branch '3.6': bpo-32185: Don't send IP in SNI TLS extension (#5865) https://github.com/python/cpython/commit/e9370a47389903bb72badc95032ec84a0ebbf8cc |
|
|
| msg312786 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2018-02-25 09:16 |
| New changeset a5c9112300ecd492ed6cc9759dc8028766401f61 by Christian Heimes (Miss Islington (bot)) in branch '2.7': [2.7] bpo-32185: Don't send IP in SNI TLS extension (GH-5865) (#5871) https://github.com/python/cpython/commit/a5c9112300ecd492ed6cc9759dc8028766401f61 |
|
|
| msg312787 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2018-02-25 09:19 |
| The issue has been fixed in 2.7, 3.6-3.8 for OpenSSL >= 1.0.2 or platforms with inet_pton. I didn't bother to fix platforms without inet_pton since OpenSSL 1.0.1 and earlier are no longer support any way. |
|
|