From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-3.9 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.1 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id AC5DE1F97E for ; Sun, 7 Oct 2018 09:45:20 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 452FA120A7C; Sun, 7 Oct 2018 18:45:18 +0900 (JST) Received: from o1678916x28.outbound-mail.sendgrid.net (o1678916x28.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id 2D0D4120A0A for ; Sun, 7 Oct 2018 18:45:14 +0900 (JST) Received: by filter0095p3mdw1.sendgrid.net with SMTP id filter0095p3mdw1-9756-5BB9D5A7-11 2018-10-07 09:45:11.919774447 +0000 UTC m=+123092.759435022 Received: from herokuapp.com (ec2-54-146-190-243.compute-1.amazonaws.com [54.146.190.243]) by ismtpd0005p1sjc2.sendgrid.net (SG) with ESMTP id QyUJN_hYRUOmtQTE3wHNDg for ; Sun, 07 Oct 2018 09:45:11.691 +0000 (UTC) Date: Sun, 07 Oct 2018 09:45:12 +0000 (UTC) From: ruby-bugs@dienste.aaron-spettl.de To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 64700 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 15215 X-Redmine-Issue-Author: aspettl X-Redmine-Sender: aspettl X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5aPJSzitf9PJEtSM16gV1rnXU/J/PKw32p4F kTGkCEsTYQGqV26pOG0NEf14ZWEOfRvHZvzv2EcPEd68/ZAPpqmLWx3LP2aXR3z+8yGczWQ54KfXe2 fN0TjI44I27KMH3o25NyxEImhURcHyq6z7eCpmmapsuL5F3GKYAQu06hbTCiauKqFBpQgGTy0P6dxM U= X-ML-Name: ruby-core X-Mail-Count: 89307 Subject: [ruby-core:89307] [Ruby trunk Feature#15215] HTTPS server name indication (SNI): explicit server_name in Net::HTTP X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #15215 has been updated by aspettl (Aaron Spettl). aspettl (Aaron Spettl) wrote: > **Proposed solution:** > Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same). One comment on a corner case: When ssl_server_name is set, then it is always used for verifying the certificate - even when OpenSSL is old and does not support SNI yet. In such a case, the certificate presented by the server will not match probably (and, thus, verification fails). I think this is desired behavior. ---------------------------------------- Feature #15215: HTTPS server name indication (SNI): explicit server_name in Net::HTTP https://bugs.ruby-lang.org/issues/15215#change-74335 * Author: aspettl (Aaron Spettl) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- **Current behavior and problem:** At the moment, the host name or IP address given in the URL is used to provide the server name for SNI in HTTPS connections. While this behavior is sufficient in most cases, establishing a connection to a fixed IP using a certain server name is not possible. **Proposed solution:** Decouple the server name used for SNI from the address used for connecting. Add a new ssl_server_name attribute in Net::HTTP that defaults to the address (so the default behavior stays exactly the same). **Notes** * There are scenarios where a client would like to select a specific host when e.g. DNS round robin is configured. Examples: fallback strategies, monitoring of individual hosts. * This has nothing to do with the HTTP "Host" header, which one needs to set additionally. For my "proposed solution", a patch is attached (or see https://github.com/ruby/ruby/pull/1977). Please let me know about any ideas for improvement or other approaches, thanks! ---Files-------------------------------- ssl_server_name.patch (2.17 KB) -- https://bugs.ruby-lang.org/