Skip to content

Commit

Permalink
Merge pull request #1866 from sfackler/no-ip-sni
Browse files Browse the repository at this point in the history
Don't use IP addresses in SNI
  • Loading branch information
sfackler authored Mar 30, 2023
2 parents ded3573 + d355cb8 commit 297017d
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 3 deletions.
5 changes: 3 additions & 2 deletions openssl/src/ssl/connector.rs
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ use crate::ssl::{
SslOptions, SslRef, SslStream, SslVerifyMode,
};
use crate::version;
use std::net::IpAddr;

const FFDHE_2048: &str = "
-----BEGIN DH PARAMETERS-----
Expand Down Expand Up @@ -177,9 +178,9 @@ impl ConnectConfiguration {

/// Returns an `Ssl` configured to connect to the provided domain.
///
/// The domain is used for SNI and hostname verification if enabled.
/// The domain is used for SNI (if it is not an IP address) and hostname verification if enabled.
pub fn into_ssl(mut self, domain: &str) -> Result<Ssl, ErrorStack> {
if self.sni {
if self.sni && domain.parse::<IpAddr>().is_err() {
self.ssl.set_hostname(domain)?;
}

Expand Down
57 changes: 56 additions & 1 deletion openssl/src/ssl/test/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ use crate::hash::MessageDigest;
use crate::ocsp::{OcspResponse, OcspResponseStatus};
use crate::pkey::PKey;
use crate::srtp::SrtpProfileId;
use crate::ssl;
use crate::ssl::test::server::Server;
#[cfg(any(ossl110, ossl111, libressl261))]
use crate::ssl::SslVersion;
use crate::ssl::{self, NameType, SslConnectorBuilder};
#[cfg(ossl111)]
use crate::ssl::{ClientHelloResponse, ExtensionContext};
use crate::ssl::{
Expand Down Expand Up @@ -767,6 +767,61 @@ fn connector_can_disable_verify() {
s.read_exact(&mut [0]).unwrap();
}

#[test]
fn connector_does_use_sni_with_dnsnames() {
static CALLED_BACK: AtomicBool = AtomicBool::new(false);

let mut builder = Server::builder();
builder.ctx().set_servername_callback(|ssl, _| {
assert_eq!(ssl.servername(NameType::HOST_NAME), Some("foobar.com"));
CALLED_BACK.store(true, Ordering::SeqCst);
Ok(())
});
let server = builder.build();

let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
connector.set_ca_file("test/root-ca.pem").unwrap();

let s = server.connect_tcp();
let mut s = connector
.build()
.configure()
.unwrap()
.connect("foobar.com", s)
.unwrap();
s.read_exact(&mut [0]).unwrap();

assert!(CALLED_BACK.load(Ordering::SeqCst));
}

#[test]
fn connector_doesnt_use_sni_with_ips() {
static CALLED_BACK: AtomicBool = AtomicBool::new(false);

let mut builder = Server::builder();
builder.ctx().set_servername_callback(|ssl, _| {
assert_eq!(ssl.servername(NameType::HOST_NAME), None);
CALLED_BACK.store(true, Ordering::SeqCst);
Ok(())
});
let server = builder.build();

let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
// The server's cert isn't issued for 127.0.0.1 but we don't care for this test.
connector.set_verify(SslVerifyMode::NONE);

let s = server.connect_tcp();
let mut s = connector
.build()
.configure()
.unwrap()
.connect("127.0.0.1", s)
.unwrap();
s.read_exact(&mut [0]).unwrap();

assert!(CALLED_BACK.load(Ordering::SeqCst));
}

fn test_mozilla_server(new: fn(SslMethod) -> Result<SslAcceptorBuilder, ErrorStack>) {
let listener = TcpListener::bind("127.0.0.1:0").unwrap();
let port = listener.local_addr().unwrap().port();
Expand Down

0 comments on commit 297017d

Please sign in to comment.