Issue #16692 has been updated by aeris (Nicolas Vinot).


Seems [https://github.com/ruby/ruby/commit/54072e329cab7207fba133caba4fc12b45add8f9](this 2.7 patch) fix the problem.
Would be interesting to backport it to 2.6.

----------------------------------------
Bug #16692:  net/http SNI not RFC 6066 compliant & wrong certificate hit
https://bugs.ruby-lang.org/issues/16692#change-84681

* Author: aeris (Nicolas Vinot)
* Status: Open
* Priority: Normal
* ruby -v: 2.6.5
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN
----------------------------------------
Hi,

Currently, net/http set the SNI to the address you want to connect to.
https://github.com/ruby/ruby/blob/master/lib/net/http.rb#L1025-L1026

This is maybe a wrong assumption because you can want to connect to a specific IP address but requesting for a host specified via a HTTP `Host` header.

``` ruby
http            = Net::HTTP.new '127.0.0.1', 443 # Forcing IP address
http.use_ssl    = true
request         = Net::HTTP::Get.new '/'
request['Host'] = 'localhost'
response        = http.request request
```

Currently you hit the wrong certificate behavior because SNI is set to `127.0.0.1` instead of `localhost` as expected.

The current implementation is also not compliant with [RFC 6066](https://tools.ietf.org/html/rfc6066#page-6).

```
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
```

I first thought to fix this behavior by settings SNI to `Host` header, but seems we don't have access to request context on this code partí─ :(



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>