-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong Host
header sent to TLS server
#356
Comments
This happens because when support for Unix sockets was introduced it was necessary to also explicitly set the |
When support for Unix sockets was introduced it was necessary to also explicitly set the `ServerName` in the TLS configuration to the host name of the target host, otherwise the Go library would send the Unix socket name as the host, something like `Host: /tmp/my.socket`. But the TCP client is shared for all hosts, for example for _api.openshift.com_ and _sso.redhat.com_. So if the first request happens to be a request to _sso.redhat.com_ (it will usually be) the HTTP client will use _sso.redhat.com_ as the TLS server name also for API requests, not only for SSO requests. In this case the API server happens to be behind an OpenShift router that uses SNI to select the target service and certificates. As there is no _sso.redhat.com_ target behind that OpenShift router it returns the default, which fails validation against the _sso.redhat.com_ name. To address that this patch changes the SDK so that it uses a different client for each host. Related: openshift-online#356 Signed-off-by: Juan Hernandez <juan.hernandez@redhat.com>
The more relevant changes in the new version are the following: - Fix wrong TLS server name. Related: openshift-online#356 Signed-off-by: Juan Hernandez <juan.hernandez@redhat.com>
Fixed in #357 and included in release 0.1.165. |
Version 0.1.164 of the SDK sends an incorrect
Host
header to the API server, containing the name of the SSO server instead of the name of the API server:That results in a rejected request because the verification of the host name in the TLS certificate fails.
The text was updated successfully, but these errors were encountered: