Do not set SNI hostname if connecting to IP address

jeremyevans · jeremyevans · commit 56e7b406b80a · 2022-01-04T10:28:43.000-08:00
RFC 6066, section 3, explicitly disallows the use of an IP address
as an SNI server name.  So check if the connection is being made
to an IP address using the resolv regexps, and do not set an SNI
hostname in that case.

Recent changes to LibreSSL make it more strictly follow RFC 6066,
resulting an s.hostname= raising an error if passed an IP address.
When such verions of LibreSSL are used, this change not only fixes
the net/http tests, it also fixes tests for webrick and open-uri,
which both make SSL connections to 127.0.0.1 using net/http in
their tests.

Note that this results in a warning in the tests, but that is due
to an issue in the openssl extension.  A pull request has been
submitted to the openssl extension to remove that warning.

Revert the previous change that modified the regexp used for
checking the error message.
diff --git a/lib/net/http.rb b/lib/net/http.rb
@@ -22,6 +22,7 @@
 
 require 'net/protocol'
 require 'uri'
+require 'resolv'
 autoload :OpenSSL, 'openssl'
 
 module Net   #:nodoc:
@@ -1036,11 +1037,21 @@ def connect
           OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT |
           OpenSSL::SSL::SSLContext::SESSION_CACHE_NO_INTERNAL_STORE
         @ssl_context.session_new_cb = proc {|sock, sess| @ssl_session = sess }
+
+        # Server Name Indication (SNI) RFC 3546
+        case @address
+        when Resolv::IPv4::Regex, Resolv::IPv6::Regex
+          # don't set SNI, as IP addresses in SNI is not valid
+          # per RFC 6066, section 3.
+        else
+          ssl_host_address = @address
+        end
+
         D "starting SSL for #{conn_addr}:#{conn_port}..."
         s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
         s.sync_close = true
-        # Server Name Indication (SNI) RFC 3546
-        s.hostname = @address if s.respond_to? :hostname=
+        s.hostname = ssl_host_address if s.respond_to?(:hostname=) && ssl_host_address
+
         if @ssl_session and
            Process.clock_gettime(Process::CLOCK_REALTIME) < @ssl_session.time.to_f + @ssl_session.timeout
           s.session = @ssl_session
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
@@ -255,7 +255,7 @@ def test_identity_verify_failure
     ex = assert_raise(OpenSSL::SSL::SSLError){
       http.request_get("/") {|res| }
     }
-    re_msg = /certificate verify failed|hostname \"#{HOST_IP}\" does not match|ssl3 ext invalid servername/
+    re_msg = /certificate verify failed|hostname \"#{HOST_IP}\" does not match/
     assert_match(re_msg, ex.message)
   end
 

Original file line number	Diff line number	Diff line change
`@@ -255,7 +255,7 @@ def test_identity_verify_failure`
`255`	`255`	`ex = assert_raise(OpenSSL::SSL::SSLError){`
`256`	`256`	`http.request_get("/") {\|res\| }`
`257`	`257`	`}`
`258`		`- re_msg = /certificate verify failed\|hostname \"#{HOST_IP}\" does not match\|ssl3 ext invalid servername/`
	`258`	`+ re_msg = /certificate verify failed\|hostname \"#{HOST_IP}\" does not match/`
`259`	`259`	`assert_match(re_msg, ex.message)`
`260`	`260`	`end`
`261`	`261`