[ruby-core:99403] [Ruby master Bug#10613] SNI is not optional when using TLS

< ^ > P N |<>| ^ _>< --- | ~ ...Help
Issue #10613 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Assigned to Closed

I think the need for this is handled by `Net::HTTP#ipaddr=`, which was added in Ruby 2.4.

----------------------------------------
Bug #10613: SNI is not optional when using TLS
https://bugs.ruby-lang.org/issues/10613#change-86851

* Author: edk750 (Eddy Kim)
* Status: Closed
* Priority: Normal
* Assignee: naruse (Yui NARUSE)
* ruby -v: 2.1
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
If ruby is using openssl with TLS extensions, and we attempt to connect to a server which supports TLS, but not SNI, the connection fails.

e.g.:

~~~Ruby
uri = URI.parse("https://example.com") # a server that supports TLSv1 but not the TLS extensions
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = :TLSv1
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
response = http.get(url)
~~~
~~~
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello B: parse tlsext
~~~

If I patch the `Net::HTTP#connect` method to not assign the hostname to the socket (s), we can avoid this error.



---Files--------------------------------
optional-sni.patch (1019 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>