Trailing dot in SNI HostName must be stripped according to RFC 3546
Categories
(Core :: Security: PSM, defect, P5)
Tracking
()
People
(Reporter: winter-mozilla, Unassigned)
References
()
Details
(Whiteboard: [psm-backlog])
Attachments
(1 file)
894 bytes,
patch
|
Details | Diff | Splinter Review |
Reporter | ||
Updated•11 years ago
|
Updated•11 years ago
|
Comment 2•9 years ago
|
||
Reporter | ||
Comment 3•9 years ago
|
||
Reporter | ||
Comment 4•9 years ago
|
||
Updated•8 years ago
|
Updated•7 years ago
|
Comment 5•2 years ago
|
||
Bug 134402 comment 38 suggests Chrome does not strip it either. If that's still the case I think it would be better for the relevant SNI standard to be updated. We definitely don't want to be a first-mover here.
Comment hidden (advocacy) |
Updated•2 years ago
|
FYI, Go's crypto/tls does not accept trailing dot in the SNI domain name: https://github.com/golang/go/issues/63117
For example, going to https://www.xmox.nl./ with Firefox causes a TLS handshake error.
Note: I have no need for absolute URLs in Firefox, so Firefox's current behaviour is not bothering me, but it does look incorrect.
Comment 8•26 days ago
|
||
Based on experimentation, it appears that OpenSSL strips a terminal dot when building the client SNI; Go's code definitely does. GnuTLS doesn't seem to and will generate requests with such a SNI (and then fail to verify the resulting server certificate, which doesn't have such a name in it). When given a HTTPS URL with a terminal dot in the hostname, iOS Safari appears to strip it (it is hard for me to confirm by inspecting the resulting TLS traffic). RFC 6066 section 3 is specific that the SNI is not supposed to have the terminal dot, and as far as I know that section hasn't been updated by later RFCs.
Description
•