From: aeris+ruby@... Date: 2020-03-15T23:04:18+00:00 Subject: [ruby-core:97513] [Ruby master Bug#16692] net/http SNI not RFC 6066 compliant & wrong certificate hit Issue #16692 has been reported by aeris (Nicolas Vinot). ---------------------------------------- Bug #16692: net/http SNI not RFC 6066 compliant & wrong certificate hit https://bugs.ruby-lang.org/issues/16692 * Author: aeris (Nicolas Vinot) * Status: Open * Priority: Normal * ruby -v: 2.6.5 * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN ---------------------------------------- Hi, Currently, net/http set the SNI to the address you want to connect to. https://github.com/ruby/ruby/blob/master/lib/net/http.rb#L1025-L1026 This is maybe a wrong assumption because you can want to connect to a specific IP address but requesting for a host specified via a HTTP `Host` header. ``` ruby http = Net::HTTP.new '127.0.0.1', 443 # Forcing IP address http.use_ssl = true request = Net::HTTP::Get.new '/' request['Host'] = 'localhost' response = http.request request ``` Currently you hit the wrong certificate behavior because SNI is set to `127.0.0.1` instead of `localhost` as expected. The current implementation is also not compliant with [RFC 6066](https://tools.ietf.org/html/rfc6066#page-6). ``` Literal IPv4 and IPv6 addresses are not permitted in "HostName". ``` I first thought to fix this behavior by settings SNI to `Host` header, but seems we don't have access to request context on this code part��� :( -- https://bugs.ruby-lang.org/ Unsubscribe: