8000 exception when no server_name is sent · Issue #26 · openssl-net/openssl-net · GitHub
[go: up one dir, main page]

Skip to content
This repository was archived by the owner on Dec 15, 2022. It is now read-only.

exception when no server_name is sent #26

Open
rforbes opened this issue Jul 30, 2015 · 2 comments
Open

exception when no server_name is sent #26

rforbes opened this issue Jul 30, 2015 · 2 comments

Comments

@rforbes
Copy link
rforbes commented Jul 30, 2015

I am setting up a SSL server using this wrapper calling AuthenticateAsServer(cert). Using Firefox 41 I attempt to access the server using ip address. With firefox, if you try to connect using an IP address the server_name extension is not set. When I attempt I get a "server names do not match" exception. It looks like it is setting up the SNI extension attempting to match, seeing that the secure_name extension is not present and failing. Perhaps if the server_name extension is not present it should ignore it?

@rforbes
Copy link
Author
rforbes commented Jul 31, 2015

Chrome, however, does send a server_name extension when you browse to an IP address. This still fails as openssl is using "localhost" as the server name and chrome sends the ip address you are browsing to.

@rforbes
Copy link
Author
rforbes commented Aug 14, 2015

I did a bunch of playing around with this and the core problem seems to be here.

in SslStreamServer.cs

        sniCb = sniExt.ServerSniCb;
        sniExt.AttachSniExtensionServer(ssl.Handle, sslContext.Handle, sniCb);

It doesn't verify that there is any server name. Given that the spec says to not send an IP address as the server name it would make sense to deal with the case of no SNI in the request.

My thought was to do something like.

if (servername !null or !ipaddress) {
sniCb = sniExt.ServerSniCb;
sniExt.AttachSniExtensionServer(ssl.Handle, sslContext.Handle, sniCb);
}

the problem was, I couldn't figure out how to get the actual server name from the ssl stream. I found this in SNI.cs

        var extServerNamePtr = Native.SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
        var extServerName = Marshal.PtrToStringAnsi(extServerNamePtr);

I tried using that but for some reason the SSL handle isn't correct when in this method. I will admit, all this callback stuff is way beyond me. I tried for a while trying to see if I could piece it out with no luck.

Bottom line, if there is some way to get the server name from the SSLstream object it would help a lot but I couldn't figure out how to do it.
-r

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant
0