Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AndroidCrypto] Any TargetHost input is set as SNI hostname #79143

Closed
simonrozsival opened this issue Dec 2, 2022 · 4 comments · Fixed by #89232
Closed

[AndroidCrypto] Any TargetHost input is set as SNI hostname #79143

simonrozsival opened this issue Dec 2, 2022 · 4 comments · Fixed by #89232
Labels
area-System.Net.Security os-android
Milestone
8.0.0

Comments

@simonrozsival
Copy link
Member

On Android, we put any TargetHost passed to a client SslStream into the SNI hostname:

This is a problem when the hostname doesn't conform to the STD 3 ASCII rules (see SNIHostName docs). In this case, the code throws an exception and we can't establish communication with the server.

One particular case, that also shows in our functional tests, are IPv6 addresses. The colon symbol is not allowed and an exception is thrown. The Android crypto PAL tracking issue (#45741) also mentions underscores in hostnames.

The RFC 6066 that defines SNI states:

Literal IPv4 and IPv6 addresses are not permitted in "HostName".

I think that our Android PAL shouldn't throw exceptions when SNIHostName rejects an IPv6 address and it should proceed with the handshake.

/cc @wfurt
Ref #77386 (comment)
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Dec 2, 2022
@ghost
Copy link

ghost commented Dec 2, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

On Android, we put any TargetHost passed to a client SslStream into the SNI hostname:

This is a problem when the hostname doesn't conform to the STD 3 ASCII rules (see SNIHostName docs). In this case, the code throws an exception and we can't establish communication with the server.

One particular case, that also shows in our functional tests, are IPv6 addresses. The colon symbol is not allowed and an exception is thrown. The Android crypto PAL tracking issue (#45741) also mentions underscores in hostnames.

The RFC 6066 that defines SNI states:

Literal IPv4 and IPv6 addresses are not permitted in "HostName".

I think that our Android PAL shouldn't throw exceptions when SNIHostName rejects an IPv6 address and it should proceed with the handshake.

/cc @wfurt
Ref #77386 (comment)

Author: simonrozsival
Assignees: -
Labels:

area-System.Net.Security, os-android
Milestone: -

@simonrozsival simonrozsival mentioned this issue Dec 2, 2022
Merged
@wfurt
Copy link
Member

wfurt commented Feb 8, 2023

The IPv6 LLA should be fixed by #81631. It seems like the RFC forbids us to pass in IP literals.
For weird names, it may perhaps be acceptable to either swallow the error and don't set the SNI or throw PNSE.

Now there has been some chatter about allowing SslStream to connect to sites that do not conform to the spec.
www-.volal.cz is one the examples where .NET fails but some other tools are able to connect.

@simonrozsival simonrozsival mentioned this issue Feb 9, 2023
Merged
@steveisok steveisok removed the untriaged New issue has not been triaged by the area owner label Jul 19, 2023
@steveisok
Copy link
Member

@simonrozsival @wfurt is this still an issue?

@simonrozsival simonrozsival mentioned this issue Jul 20, 2023
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Jul 20, 2023
@simonrozsival
Copy link
Member Author

@steveisok I think the issue has been sufficiently resolved with #81631. There are still three tests that we currently skip and need re-enabling. I opened #89232 to re-enable those tests and I think we can close this issue once that PR is merged.

@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Jul 26, 2023
@karelz karelz added this to the 8.0.0 milestone Aug 1, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Aug 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Net.Security os-android
Projects
None yet
Milestone
8.0.0
Development

Successfully merging a pull request may close this issue.

[Android] Enable skipped networking tests simonrozsival/runtime
4 participants
@simonrozsival @steveisok @karelz @wfurt