You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/09/13 04:07:18 UTC
[GitHub] [apisix] tokers opened a new issue #5047: bug: The SNI match should be case-insensitive
tokers opened a new issue #5047:
URL: https://github.com/apache/apisix/issues/5047
### Issue description
Refer from RFC6066:
> "HostName" contains the fully qualified DNS hostname of the server,
as understood by the client. The hostname is represented as a byte
string using ASCII encoding without a trailing dot. This allows the
support of internationalized domain names through the use of A-labels
defined in [RFC5890]. DNS hostnames are case-insensitive. The
algorithm to compare hostnames is described in [RFC5890], Section
2.3.2.4.
The SNI should be case-insensitive, While if the `snis` field in the `SSL` object contains some uppercase letters, APISIX doesn't convert them into lowercase, as a result, when SNI sent from the client is all in lowercase, the SNI matching will fail and the SSL handshaking will be aborted.
PS: apisix-dashboard sniffs the `snis` from the SAN and CN fields from the certificate, it doesn't convert them into lowercase too.
### Environment
- apisix version (cmd: `apisix version`): master
- OS (cmd: `uname -a`): N/A
- OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): N/A
- etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
- apisix-dashboard version, if have: N/A
- luarocks version, if the issue is about installation (cmd: `luarocks --version`): N/A
### Steps to reproduce
N/A
### Actual result
N/A
### Error log
N/A
### Expected result
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #5047: bug: The SNI match should be case-insensitive
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #5047:
URL: https://github.com/apache/apisix/issues/5047
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] leslie-tsang edited a comment on issue #5047: bug: The SNI match should be case-insensitive
Posted by GitBox <gi...@apache.org>.
leslie-tsang edited a comment on issue #5047:
URL: https://github.com/apache/apisix/issues/5047#issuecomment-917825863
> The SNI should be case-insensitive, While if the snis field in the SSL object contains some uppercase letters, APISIX doesn't convert them into lowercase, as a result, when SNI sent from the client is all in lowercase, the SNI matching will fail and the SSL handshaking will be aborted.
Can't agree more, `string.lower` seems to be a feasible method
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] leslie-tsang commented on issue #5047: bug: The SNI match should be case-insensitive
Posted by GitBox <gi...@apache.org>.
leslie-tsang commented on issue #5047:
URL: https://github.com/apache/apisix/issues/5047#issuecomment-917825863
> The SNI should be case-insensitive, While if the snis field in the SSL object contains some uppercase letters, APISIX doesn't convert them into lowercase, as a result, when SNI sent from the client is all in lowercase, the SNI matching will fail and the SSL handshaking will be aborted.
Can't agree more, `string.lower` seems to be a feasible method
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org