Issue #10613 has been updated by Eddy Kim.


Hi, any feedback on this?

The patch adds the ability to turn off SNI triggering behavior, but by default it continues the previous behavior.

Not all SSL servers support SNI, and by forcing SNI without an option to disable it, makes it impossible to communicate with an conforming TLS implementation.

We're using this patch on our ruby installations, but I think this is something that would be widely useful to the community, especially since it's not obvious why a TLS negotiation would fail with some servers.

Please let me know if I need to do anything to help get this merged in.

Thanks!


----------------------------------------
Bug #10613: SNI is not optional when using TLS
https://bugs.ruby-lang.org/issues/10613#change-50763

* Author: Eddy Kim
* Status: Assigned
* Priority: Normal
* Assignee: Yui NARUSE
* Category: lib
* Target version: 
* ruby -v: 2.1
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
If ruby is using openssl with TLS extensions, and we attempt to connect to a server which supports TLS, but not SNI, the connection fails.

e.g.:

~~~Ruby
uri = URI.parse("https://example.com") # a server that supports TLSv1 but not the TLS extensions
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = :TLSv1
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
response = http.get(url)
~~~
~~~
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello B: parse tlsext
~~~

If I patch the `Net::HTTP#connect` method to not assign the hostname to the socket (s), we can avoid this error.



---Files--------------------------------
optional-sni.patch (1019 Bytes)


-- 
https://bugs.ruby-lang.org/