Remove verify_hostname requires hostname warning #487
Conversation
When connecting to an IP address, you should not set hostname, since IP addresses are not allowed as SNI server names (per RFC 6066, section 3). A recent change to LibreSSL made it more strict, and LibreSSL will now raise an error if hostname= is used with an IP address. While SNI should not be used when connecting to an IP address, you still want to verify that the certificate sent by the server is valid for the IP address. Currently, that results in a warning, but it should not result in a warning as there is no way around the problem in this case.
|
Shouldn't the user disable I think the warning makes sense because Verifying the connecting IP address against SAN's iPAddress values is currently a missing feature in ruby/openssl. |
The behavior that is actually desired is that verification still happens at the certificate level (since IP addresses are supported in certificates), but SNI is not used (because IP addresses are not supported in SNI server names). There are net/http tests that check for this behavior (https://github.com/ruby/net-http/blob/master/test/net/http/test_https.rb#L249). In the context of net/http, turning off Another possible way to fix this would be to not call |
|
I've made changes to my net-http PR (ruby/net-http@d2cc3e1) so that this PR is no longer needed. @rhenium If you have time, could you check the net-http patch and see if it makes sense to you? If so, I'll close this. |
When connecting to an IP address, you should not set hostname,
since IP addresses are not allowed as SNI server names (per RFC 6066,
section 3). A recent change to LibreSSL made it more strict, and
LibreSSL will now raise an error if hostname= is used with an IP
address.
While SNI should not be used when connecting to an IP address, you
still want to verify that the certificate sent by the server is
valid for the IP address. Currently, that results in a warning,
but it should not result in a warning as there is no way around
the problem in this case.