From: ben@...10r.com Date: 2016-12-15T04:25:38+00:00 Subject: [ruby-core:78649] [Ruby trunk Bug#10613] SNI is not optional when using TLS Issue #10613 has been updated by Ben Schmeckpeper. Unfortunately, I don't know any details about the server. It's not a box that we own. I am connecting over an SSH tunnel, so the hostname being used for SNI is 127.0.0.1. The server simply returns a 400; my best guess is that it's not configured to use a default certificate for unknown hostnames. (I can make things work by editing /etc/hosts locally, but that's not a viable approach in our production environment.) I am able to set the Host and Location headers, but have not been able to find a better solution than mokeypatching Net::HTTP#connect to disable SNI for connections to this server. In my case, the cert on this server is expired, so I don't even verify it. For what it's worth, cURL does not perform SNI when certificate checking is disabled (using the -k or --insecure flag.) (Sorry for the delay in getting back to you, I had just created my account and wasn't watching this issue.) ---------------------------------------- Bug #10613: SNI is not optional when using TLS https://bugs.ruby-lang.org/issues/10613#change-62032 * Author: Eddy Kim * Status: Assigned * Priority: Normal * Assignee: Yui NARUSE * Target version: * ruby -v: 2.1 * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- If ruby is using openssl with TLS extensions, and we attempt to connect to a server which supports TLS, but not SNI, the connection fails. e.g.: ~~~Ruby uri = URI.parse("https://example.com") # a server that supports TLSv1 but not the TLS extensions http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.ssl_version = :TLSv1 http.verify_mode = OpenSSL::SSL::VERIFY_PEER response = http.get(url) ~~~ ~~~ OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello B: parse tlsext ~~~ If I patch the `Net::HTTP#connect` method to not assign the hostname to the socket (s), we can avoid this error. ---Files-------------------------------- optional-sni.patch (1019 Bytes) -- https://bugs.ruby-lang.org/ Unsubscribe: