-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(s2n-tls-hyper): Add proper IPv6 address formatting #4938
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
goatgoose
commented
Nov 26, 2024
AaunssA40QcjQFQYI8ADTiQHW20rZcsVRKkwRkNVps/vMDpLBCyBp96xhTAtkoDH | ||
Xs/Zi1bJiJ8xw3TkDeJFShpP+cQPYHI36qWqNjTei9eHrNX8sNFAdNZVyitoZ3/W | ||
FrPdms/ivlvgQbWWB3EKxD+PsQXoYvjkGhMNmg== | ||
-----END CERTIFICATE----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Certificate content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4f:58:57:a5:76:45:86:96:de:ab:a5:24:6e:a9:67:38:a0:1e:52:8a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MA, L=Boston, O=Amazon, OU=AmazonWebServices, CN=localhost
Validity
Not Before: Nov 26 04:52:47 2024 GMT
Not After : Nov 2 04:52:47 2124 GMT
Subject: C=US, ST=MA, L=Boston, O=Amazon, OU=AmazonWebServices, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4E:BE:C7:F2:CF:FC:A3:6C:A4:A4:A3:B8:E6:3B:EC:A1:BE:BB:F7:80
X509v3 Authority Key Identifier:
4E:BE:C7:F2:CF:FC:A3:6C:A4:A4:A3:B8:E6:3B:EC:A1:BE:BB:F7:80
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
...
goatgoose
force-pushed
the
hyper-ipv6
branch
from
November 26, 2024 05:20
8b8c2c2
to
31f3703
Compare
jmayclin
approved these changes
Nov 26, 2024
lrstewart
approved these changes
Nov 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
s2n-tls-hyper provides s2n-tls-tokio with a server name by parsing the host out of the URI for an HTTP request. s2n-tls uses the http::uri:::Uri::host() API to do this:
s2n-tls/bindings/rust/s2n-tls-hyper/src/connector.rs
Line 122 in 9877437
Per RFC 3986, IPv6 addresses are enclosed with square brackets in the host section of a URI:
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
The value returned by the
Uri::host()
API includes these square brackets. While the square brackets are part of the "host" URI content, they aren't part of the actual address, and should not be sent in the server name or matched against identities in the server's certificate. This PR trims out these square brackets so that s2n-tls-tokio is provided the proper server name when an IPv6 address is specified in an HTTP request.Call-outs:
None
Testing:
A new test was added that uses a certificate with an IPv6 identity to check that the server name is properly formatted. This test also generally tests s2n-tls-hyper connecting to an IPv6 endpoint.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.