[#78633] ruby/spec needs help from CRuby committers — Benoit Daloze <eregontp@...>
Currently, ruby/spec is maintained mostly by individuals and enjoys the
13 messages
2016/12/13
[#78963] Re: ruby/spec needs help from CRuby committers
— Urabe Shyouhei <shyouhei@...>
2017/01/04
I did ask attendees of last developer meeting to join this
[#78642] Re: ruby/spec needs help from CRuby committers
— Eric Wong <normalperson@...>
2016/12/14
Benoit Daloze <eregontp@gmail.com> wrote:
[ruby-core:78712] [Ruby trunk Bug#10613] SNI is not optional when using TLS
From:
k@...
Date:
2016-12-17 17:26:45 UTC
List:
ruby-core #78712
Issue #10613 has been updated by Kazuki Yamaguchi.
Ben Schmeckpeper wrote:
> I am connecting over an SSH tunnel, so the hostname being used for SNI is 127.0.0.1. The server simply returns a 400; my best guess is that it's not configured to use a default certificate for unknown hostnames. (I can make things work by editing /etc/hosts locally, but that's not a viable approach in our production environment.)
Connecting to HTTPS server with a raw IP address is not supported currently because the domain name is required for the SNI and also for the certificate verification on connection time.
There is a rejected ticket about specifying the IP address to connect, though in Japanese: [Feature #5180]. Editing /etc/hosts and overriding TCPSocket.open are the suggested workaround.
Not sure about what is the best way if net/http wants to support such usage, but I can say adding an option to turn off SNI is not on the right track.
----------------------------------------
Bug #10613: SNI is not optional when using TLS
https://bugs.ruby-lang.org/issues/10613#change-62086
* Author: Eddy Kim
* Status: Assigned
* Priority: Normal
* Assignee: Yui NARUSE
* Target version:
* ruby -v: 2.1
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
If ruby is using openssl with TLS extensions, and we attempt to connect to a server which supports TLS, but not SNI, the connection fails.
e.g.:
~~~Ruby
uri = URI.parse("https://example.com") # a server that supports TLSv1 but not the TLS extensions
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = :TLSv1
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
response = http.get(url)
~~~
~~~
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello B: parse tlsext
~~~
If I patch the `Net::HTTP#connect` method to not assign the hostname to the socket (s), we can avoid this error.
---Files--------------------------------
optional-sni.patch (1019 Bytes)
--
https://bugs.ruby-lang.org/
Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>