From: merch-redmine@... Date: 2020-03-27T16:29:50+00:00 Subject: [ruby-core:97604] [Ruby master Bug#16692] net/http SNI not RFC 6066 compliant & wrong certificate hit Issue #16692 has been updated by jeremyevans0 (Jeremy Evans). Status changed from Open to Closed commit:54072e329cab7207fba133caba4fc12b45add8f9 was added as a feature in Ruby 2.7, and we only backport bug fixes to released versions, not features. You will have to upgrade to Ruby 2.7 if you would like this to work, using the new `:ipaddr` option. ---------------------------------------- Bug #16692: net/http SNI not RFC 6066 compliant & wrong certificate hit https://bugs.ruby-lang.org/issues/16692#change-84792 * Author: aeris (Nicolas Vinot) * Status: Closed * Priority: Normal * ruby -v: 2.6.5 * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN ---------------------------------------- Hi, Currently, net/http set the SNI to the address you want to connect to. https://github.com/ruby/ruby/blob/master/lib/net/http.rb#L1025-L1026 This is maybe a wrong assumption because you can want to connect to a specific IP address but requesting for a host specified via a HTTP `Host` header. ``` ruby http = Net::HTTP.new '127.0.0.1', 443 # Forcing IP address http.use_ssl = true request = Net::HTTP::Get.new '/' request['Host'] = 'localhost' response = http.request request ``` Currently you hit the wrong certificate behavior because SNI is set to `127.0.0.1` instead of `localhost` as expected. The current implementation is also not compliant with [RFC 6066](https://tools.ietf.org/html/rfc6066#page-6). ``` Literal IPv4 and IPv6 addresses are not permitted in "HostName". ``` I first thought to fix this behavior by settings SNI to `Host` header, but seems we don't have access to request context on this code part��� :( -- https://bugs.ruby-lang.org/ Unsubscribe: