summaryrefslogtreecommitdiff
path: root/lib/libtls/tls_server.c
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2017-07-05 15:38:36 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2017-07-05 15:38:36 +0000
commit477ee2e940ee1c79ec0690feb23a75c5f1514e0a (patch)
tree00af9be7de131145986ab7749ed2d0044af62d89 /lib/libtls/tls_server.c
parent5d4f2f739686be32b7df5c46ebdd4cd7f0a77dbd (diff)
RFC 6066 states that IP literals are not permitted in "HostName" for a
TLS Server Name extension, however seemingly several clients (including Python, Ruby and Safari) violate the RFC. Given that this is a fairly widespread issue, if we receive a TLS Server Name extension that contains an IP literal, pretend that we did not receive the extension rather than causing a handshake failure. Issue raised by jsg@ ok jsg@
Diffstat (limited to 'lib/libtls/tls_server.c')
-rw-r--r--lib/libtls/tls_server.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index fd5a6175826..394cea1e8db 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.39 2017/06/22 18:03:57 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.40 2017/07/05 15:38:35 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -91,10 +91,16 @@ tls_servername_cb(SSL *ssl, int *al, void *arg)
return (SSL_TLSEXT_ERR_NOACK);
}
- /* Per RFC 6066 section 3: ensure that name is not an IP literal. */
+ /*
+ * Per RFC 6066 section 3: ensure that name is not an IP literal.
+ *
+ * While we should treat this as an error, a number of clients
+ * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake
+ * failures, pretend that we did not receive the extension.
+ */
if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
inet_pton(AF_INET6, name, &addrbuf) == 1)
- goto err;
+ return (SSL_TLSEXT_ERR_NOACK);
free((char *)conn_ctx->servername);
if ((conn_ctx->servername = strdup(name)) == NULL)