tls: match IPv6 hosts against IP-Address SANs#64145
Conversation
|
Review requested:
|
9bbc413 to
33116ec
Compare
|
@pimterry sorry for the extra ping! The |
|
Can you rebase this again please @JumpLink? Sorry, there was an issue on main due to two conflicting PRs merging. It's resolved on main, but as you can see it breaks the tests here. |
33116ec to
14a455f
Compare
|
@pimterry Done, thanks for the heads-up about the conflicting PRs 👍 |
checkServerIdentity() stopped matching an IPv6 host against a matching
IP-Address SAN. The hostname is now run through domainToASCII() before
the net.isIP() gate, and domainToASCII('::1') === '' (an IPv6 literal is
not a domain), so net.isIP('') is 0, the IP-SAN branch is skipped, and
verification fails with "Cert does not contain a DNS name". IPv4 is
unaffected because dotted-decimal survives domainToASCII().
Match IP hosts against the original hostname instead of the IDNA-
normalized one. net.isIP() rejects non-ASCII input, so there is no IDNA
confusion to guard against for an IP literal; the normalized form is
still used for the DNS-name path.
Fixes: nodejs#64144
Signed-off-by: Pascal Garber <pascal@artandcode.studio>
|
@pimterry Rebased onto latest Since the force-push reset the workflow approval, could you kick the CI off again when you get a chance? Thanks! |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #64145 +/- ##
==========================================
- Coverage 92.04% 90.25% -1.80%
==========================================
Files 381 741 +360
Lines 169252 240985 +71733
Branches 25941 45403 +19462
==========================================
+ Hits 155792 217501 +61709
- Misses 13173 15057 +1884
- Partials 287 8427 +8140
🚀 New features to boost your workflow:
|
tls.checkServerIdentity()stopped matching an IPv6 host against a matchingIP AddressSAN, returningERR_TLS_CERT_ALTNAME_INVALID(Cert does not contain a DNS name) where it used to returnundefined.The hostname is now run through
domainToASCII()before thenet.isIP()gate, anddomainToASCII('::1') === ''(an IPv6 literal is not a domain), sonet.isIP('')is0, the IP-SAN branch is skipped, and (with no DNS SAN / CN) it falls through to the no-identifier reason. IPv4 is unaffected because dotted-decimal survivesdomainToASCII().This matches IP hosts against the original hostname instead of the IDNA-normalized one.
net.isIP()rejects non-ASCII input, so there is no IDNA confusion to guard against for an IP literal; the normalized form is still used for the DNS-name path. Adds IPv6 IP-SAN coverage (match, canonical-form match, non-match) totest-tls-check-server-identity.Fixes: #64144