Don't send an SNI Client Hello extension bearing an IPv6 address

RESOLVED FIXED in 3.11.10

Status

RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: nelson, Assigned: nelson)

Tracking

3.11
3.11.10

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

When a client attempts to connect to a user using TLS, it typically sends 
a "Server Name Indication" (SNI) extension to the server, bearing the DNS 
name for the virtual server whose certificate it wants to see.  

If the client has not been given a DNS name by its calling app, but rather 
has been given an IP address, it's supposed to be smart and recognize that 
the string is an IP address and not send a Server Name Indication bearing 
that IP address.

The code that composes the SNI extension detects IPv4 address strings, but
does not detect IPv6 address strings, so it may send an IPv6 address string
inside the SNI client hello extension to the server.  Servers can rightfully
barf on that.
Created attachment 308098 [details] [diff] [review]
patch v1 for NSS_3_11_BRANCH (checked in)

untested patch for branch. Will test before requesting review.
Assignee: nobody → nelson
Status: NEW → ASSIGNED
Created attachment 308099 [details] [diff] [review]
Patch v1 for NSS Trunk (checked in)
Comment on attachment 308099 [details] [diff] [review]
Patch v1 for NSS Trunk (checked in)

I finally tested this patch.  
Wan-Teh, please review.
Attachment #308099 - Flags: review?(wtc)
Comment on attachment 308098 [details] [diff] [review]
patch v1 for NSS_3_11_BRANCH (checked in)

Julien,  This patch is the same as the other one, but applies cleanly to the branch.  Please give this a second review for the branch.
Attachment #308098 - Flags: review?(julien.pierre.boogz)

Updated

10 years ago
Attachment #308098 - Flags: review?(julien.pierre.boogz) → review+

Updated

10 years ago
Attachment #308099 - Flags: review?(wtc) → review+

Comment 5

10 years ago
Comment on attachment 308099 [details] [diff] [review]
Patch v1 for NSS Trunk (checked in)

r=wtc.

Comment 6

10 years ago
Comment on attachment 308098 [details] [diff] [review]
patch v1 for NSS_3_11_BRANCH (checked in)

r=wtc.
Attachment #308098 - Flags: superreview+
Comment on attachment 308099 [details] [diff] [review]
Patch v1 for NSS Trunk (checked in)

Checking in ssl/ssl3ext.c; new revision: 1.3; previous revision: 1.2
Attachment #308099 - Attachment description: Patch v1 for NSS Trunk → Patch v1 for NSS Trunk (checked in)
Comment on attachment 308098 [details] [diff] [review]
patch v1 for NSS_3_11_BRANCH (checked in)

nss/lib/ssl/ssl3ecc.c; new revision: 1.3.2.14; previous revision: 1.3.2.13
Attachment #308098 - Attachment description: patch v1 for NSS_3_11_BRANCH → patch v1 for NSS_3_11_BRANCH (checked in)
(Assignee)

Updated

10 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.