You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/09/13 04:07:18 UTC

[GitHub] [apisix] tokers opened a new issue #5047: bug: The SNI match should be case-insensitive

tokers opened a new issue #5047:
URL: https://github.com/apache/apisix/issues/5047


   ### Issue description
   
   Refer from RFC6066:
   
   > "HostName" contains the fully qualified DNS hostname of the server,
      as understood by the client.  The hostname is represented as a byte
      string using ASCII encoding without a trailing dot.  This allows the
      support of internationalized domain names through the use of A-labels
      defined in [RFC5890].  DNS hostnames are case-insensitive.  The
      algorithm to compare hostnames is described in [RFC5890], Section
      2.3.2.4.
   
   The SNI should be case-insensitive, While if the `snis` field in the `SSL` object contains some uppercase letters, APISIX doesn't convert them into lowercase, as a result, when SNI sent from the client is all in lowercase, the SNI matching will fail and the SSL handshaking will be aborted.
   
   PS: apisix-dashboard sniffs the `snis` from the SAN and CN fields from the certificate, it doesn't convert them into lowercase too.
   
   ### Environment
   
   - apisix version (cmd: `apisix version`): master
   - OS (cmd: `uname -a`): N/A
   - OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): N/A
   - etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
   - apisix-dashboard version, if have: N/A
   - luarocks version, if the issue is about installation (cmd: `luarocks --version`): N/A
   
   ### Steps to reproduce
   
   N/A
   
   ### Actual result
   
   N/A
   
   ### Error log
   
   N/A
   
   ### Expected result
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #5047: bug: The SNI match should be case-insensitive

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #5047:
URL: https://github.com/apache/apisix/issues/5047


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang edited a comment on issue #5047: bug: The SNI match should be case-insensitive

Posted by GitBox <gi...@apache.org>.

leslie-tsang edited a comment on issue #5047:
URL: https://github.com/apache/apisix/issues/5047#issuecomment-917825863


   > The SNI should be case-insensitive, While if the snis field in the SSL object contains some uppercase letters, APISIX doesn't convert them into lowercase, as a result, when SNI sent from the client is all in lowercase, the SNI matching will fail and the SSL handshaking will be aborted.
   
   Can't agree more, `string.lower` seems to be a feasible method


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #5047: bug: The SNI match should be case-insensitive

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #5047:
URL: https://github.com/apache/apisix/issues/5047#issuecomment-917825863


   > The SNI should be case-insensitive, While if the snis field in the SSL object contains some uppercase letters, APISIX doesn't convert them into lowercase, as a result, when SNI sent from the client is all in lowercase, the SNI matching will fail and the SSL handshaking will be aborted.
   Can't agree more, `string.lower` seems to be a feasible method


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org