tls: fix IPv6 hostname verification regression#64128
tls: fix IPv6 hostname verification regression#64128Paraspandey-debugs wants to merge 2 commits into
Conversation
|
Review requested:
|
|
Should i rewrite the commit message and then reopen a seperate PR ? |
|
@Paraspandey-debugs You can amend the commit locally and force-push to the same branch in your own repository ( |
Check IP addresses before IDNA conversion. Applying domainToASCII() to raw IPv6 addresses returns an empty string, causing SAN IP verification to be skipped. Compare IPv4/IPv6 addresses directly against IP SANs. Add regression tests for IPv6 SAN verification. Fixes: nodejs#64032 Signed-off-by: Paraspandey-debugs <p.pandey250806@gmail.com>
|
Friendly ping on the issue. Looks like the bug slipped into Electron 43 and affects us. Thank you! |
Co-authored-by: James M Snell <jasnell@gmail.com>
|
Ah, does this duplicate #64145? That's just been merged today and seems to be fixing the same issue, albeit in a slightly different way. Sorry @Paraspandey-debugs, I should have caught this sooner. I think both would work - #64145 has some very minor advantages (for the common non-IP case it calls |
The previous normalization logic applied domainToASCII() to all hostnames, which returns an empty string for raw IPv6 addresses. This caused the IP SAN check to be skipped and verification to incorrectly fall back to domain matching. This patch moves the IP address check before any IDNA conversion, ensuring IPv6 (and IPv4) addresses are compared directly against the certificate's IP Subject Alternative Names.
Adds regression tests for IPv6 SAN verification.
Fixes: #64032