Skip to content

Don't use IP addresses for SNI
Compare
Choose a tag to compare
@VaporBot VaporBot released this 21 Jul 13:26
· 20 commits to main since this release
2.5.1
3af54d0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
This patch was authored by @olivernyc and released by @0xTim.

TLS forbids the use of literal IPv4 and IPv6 addresses in server name indication. However, websocket-kit passes IP addresses to NIOSSLClientHandler as serverHostname, which triggers an error when the underlying validateSNIServerName is called. See apple/swift-nio-ssl#380 for more context.

This PR adds a do / catch statement to pass nil for serverHostname in case of the specific cannotUseIPAddressInSNI error, which allows for secure connections to IP addresses.

Contributors

0xTim and nuyawktuah
Assets 2
Loading