classification
Title: SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.8, Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, christian.heimes, dstufft, janssen, nitzmahone, paul.moore, pitrou, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: 3.5regression, patch

Created on 2017-11-30 18:05 by nitzmahone, last changed 2018-04-14 22:19 by steve.dower. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 4938 closed christian.heimes, 2017-12-20 08:42
PR 5865 merged christian.heimes, 2018-02-24 23:53
PR 5871 merged miss-islington, 2018-02-25 08:47
PR 6474 closed steve.dower, 2018-04-14 22:19
Messages (9)
msg307333 - (view) Author: Matt Davis (nitzmahone) Date: 2017-11-30 18:05
The current implementation of SSLContext.wrap_socket blindly sends whatever is passed in server_hostname in the SNI extension, assuming it's a DNS hostname. RFC6066 describes the SNI TLS extension, and specifically states that 'Literal IPv4 and IPv6 addresses are not permitted in "HostName".' The RFC makes no recommendation on how a server implementation that violates this requirement should behave; Microsoft's kernel HTTP listener (http.sys) chooses to abort the connection if SNI has been enabled. In the http.sys case, SNI is a global setting, currently off by default, but if any registered listener has SNI enabled, the connection abort behavior applies to all listeners.

SSLContext.wrap_socket() should determine whether server_hostname is an IP address before including the SNI extension. 

I've submitted a PR to work around this issue in urllib3 (https://github.com/shazow/urllib3/pull/1287) in the meantime, but would be good to get this fixed, especially if Microsoft decides to enable SNI by default at some point.
msg307334 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-11-30 18:10
Thanks!

3.4 and 3.5 are out of scope. They only receive security fixes.

For 3.7 https://github.com/python/cpython/compare/master...tiran:openssl_check_hostname will take care of the issue

2.7 and 3.6 are a bit tricky. There is no platform-compatible way to detect if a string is an IP address. inet_pton() is not available on Windows. I cannot use the OpenSSL parser because it is only available in 1.0.2+. 2.7 and 3.6 still support 0.9.8.
msg308712 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2017-12-20 10:04
> There is no platform-compatible way to detect if a string is an IP address.

Actually, you could use the ipaddress module.
msg308713 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2017-12-20 10:14
By the way, Windows nowadays has inet_pton():
https://msdn.microsoft.com/en-us/library/windows/desktop/cc805844(v=vs.85).aspx

Are there other platforms without it?  inet_pton() is part of POSIX.
msg308715 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-12-20 10:33
The code works on all platforms with OpenSSL >= 1.0.2. OpenSSL 1.0.1, 0.9.8 and earlier are no longer supported by upstream. Anybody with even marginal interest in secure TLS/SSL should update. Python.org's Windows and macOS binaries are good.

The inet_pton() code in my patch is for those poor souls that are stuck with RHEL 6, CentOS 6, or Ubuntu 14.04. RHEL 7, CentOS 7, and Ubuntu 16.04 have OpenSSL 1.0.2.

The IP address module is slow and hard to use from C code.
msg308716 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-12-20 10:34
PS: With OpenSSL >= 1.0.2, inet_pton() is not required.
msg312782 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-25 08:47
New changeset e9370a47389903bb72badc95032ec84a0ebbf8cc by Christian Heimes in branch '3.6':
bpo-32185: Don't send IP in SNI TLS extension (#5865)
https://github.com/python/cpython/commit/e9370a47389903bb72badc95032ec84a0ebbf8cc
msg312786 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-25 09:16
New changeset a5c9112300ecd492ed6cc9759dc8028766401f61 by Christian Heimes (Miss Islington (bot)) in branch '2.7':
[2.7] bpo-32185: Don't send IP in SNI TLS extension (GH-5865) (#5871)
https://github.com/python/cpython/commit/a5c9112300ecd492ed6cc9759dc8028766401f61
msg312787 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-25 09:19
The issue has been fixed in 2.7, 3.6-3.8 for OpenSSL >= 1.0.2 or platforms with inet_pton. I didn't bother to fix platforms without inet_pton since OpenSSL 1.0.1 and earlier are no longer support any way.
History
Date User Action Args
2018-04-14 22:19:00steve.dowersetpull_requests: + pull_request6174
2018-02-25 09:19:20christian.heimessetstatus: open -> closed
versions: + Python 3.8
messages: + msg312787

resolution: fixed
stage: patch review -> resolved
2018-02-25 09:16:39christian.heimessetmessages: + msg312786
2018-02-25 08:47:16miss-islingtonsetpull_requests: + pull_request5644
2018-02-25 08:47:04christian.heimessetmessages: + msg312782
2018-02-24 23:53:30christian.heimessetpull_requests: + pull_request5639
2017-12-20 10:34:29christian.heimessetmessages: + msg308716
2017-12-20 10:33:57christian.heimessetmessages: + msg308715
2017-12-20 10:14:23pitrousetnosy: + paul.moore, tim.golden, zach.ware, steve.dower
messages: + msg308713
2017-12-20 10:04:19pitrousetnosy: + pitrou
messages: + msg308712
2017-12-20 08:42:12christian.heimessetkeywords: + patch
pull_requests: + pull_request4829
2017-12-20 08:39:03christian.heimessetkeywords: + 3.5regression
type: behavior
stage: patch review
2017-12-02 00:56:07martin.panterlinkissue32085 dependencies
2017-11-30 18:10:09christian.heimessetnosy: + janssen, alex, dstufft

messages: + msg307334
versions: - Python 3.4, Python 3.5
2017-11-30 18:05:09nitzmahonecreate