Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: emit a warning when servername is an IP address #18127

Closed
wants to merge 1 commit into from

Conversation

rcombs
Copy link

@rcombs rcombs commented Jan 13, 2018

Refs: #18071

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines
Affected core subsystem(s)

tls

@nodejs-github-bot nodejs-github-bot added the tls Issues and PRs related to the tls subsystem. label Jan 13, 2018
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to have a regression test for this.

lib/_tls_wrap.js Outdated
process.emitWarning(
'Setting the TLS ServerName to an IP address is not supported by ' +
'RFC6066. This will be ignored in a future version.',
'UnsupportedWarning'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you emit 'DeprecationWarning' plus a DEPxxxx code here? The code needs to be added to doc/api/deprecations.md.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a note, making this a DeprecationWarning would make this semver-major

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little out of my depth here with regards to both node's deprecation and its versioning semantics.
Depending on what level the "drop hostname on IP" thing ultimately ends up at (could be here; could be tls.js?), I'm not sure this makes sense to consider a "deprecation" per se? Most if not all existing external users should see the warning for a version, then see it silently go away with no change necessary in a future version.

Copy link
Member

@joyeecheung joyeecheung Jan 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the sentence This will be ignored in a future version. implies that it is a deprecation. Making it a DeprecationWarning gives us a proper documentation for the behavior change.

Also this reminds me, can you add a entry to the changes YAML field in the documentation of tls.connect? Note that in PRs the version field should be REPLACEME.

lib/_tls_wrap.js Outdated
@@ -1138,8 +1140,17 @@ exports.connect = function(...args /* [port,] [host,] [options,] [cb] */) {
if (options.session)
socket.setSession(options.session);

if (options.servername)
if (options.servername) {
if (ipServernameWarned === false && net.isIP(options.servername)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using !ipServernameWarned instead of ipServernameWarned === false might be better.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a quick note here that may be worth noting in the docs... the net.isIP() function returns 0 if an ipv6 address is given with the surrounding [ ] ... e.g. net.isIP('[fe80::a00:27ff:fec0:eb1a]') === 0. This is, of course, correct because the square brackets are not actually a part of the address, but it could catch some users.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went with === false to match an existing one-time warning (dunno if it optimizes slightly better or what); I can switch to ! if you prefer.

url.parse('https://[fe80::a00:27ff:fec0:eb1a]:3333/'), for instance, fills hostname with fe80::a00:27ff:fec0:eb1a (bracketless), and if you manually build a URL with brackets around an IPv6 address in hostname, https.get() on it fails on DNS lookup, so I think we should be fine there?

@BridgeAR
Copy link
Member

BridgeAR commented Feb 1, 2018

@rcombs would you be so kind and address the comments? I guess the second one is fine as is (Pinging @jasnell anyway).

@BridgeAR
Copy link
Member

Ping @rcombs

@rcombs
Copy link
Author

rcombs commented Feb 13, 2018

Rebased and made the requested style change. I don't know how to add regression tests or how to handle deprecation rules, so if someone who does wants to take this that'd be 👍.

@BridgeAR
Copy link
Member

@rcombs seems like something went wrong while rebasing? There are still conflicts?

You can easily check how a deprecation works when looking at e.g.

'DEP0094'
and .

@joyeecheung
Copy link
Member

You can use common.expectWarning to test the warning. The docs on how to write a test is here

@BridgeAR
Copy link
Member

@rcombs I wrote a small gist to summarize how to create a test.

@BridgeAR
Copy link
Member

BridgeAR commented Mar 2, 2018

Ping @rcombs

@bnoordhuis
Copy link
Member

Ping @rcombs - do you still want to follow up?

@rcombs
Copy link
Author

rcombs commented Mar 15, 2018

Sorry, I haven't had a chance to get around to this. I'm not sure I'm really the best person to go through the internal process for this (and then follow it up in the next release).

@bnoordhuis
Copy link
Member

If you mean back-porting, that's usually taken care of by collaborators.

@rcombs
Copy link
Author

rcombs commented Mar 15, 2018

I meant removing the warning and changing the behavior.

@bnoordhuis
Copy link
Member

Oh, I can open an issue for that once this PR lands.

@BridgeAR
Copy link
Member

@rcombs I would love to land this but it still needs a test. I am not sure if your former comment was about adding a test or not. Do you think you get the time to address that? :-)

@BridgeAR
Copy link
Member

I am closing this due to no further progress.

@rcombs please feel free to leave a comment if you would like to work on this again to add a test or open a new PR.

@BridgeAR BridgeAR closed this May 15, 2018
@BridgeAR
Copy link
Member

@rcombs thanks a lot for your contribution anyway! It is much appreciated and I still think it would be good to get a solution for #18071.

@oyyd
Copy link
Contributor

oyyd commented Oct 8, 2018

if someone who does wants to take this that'd be 👍.

I would like to take this and help to close #18071 basing on your work. @rcombs Thanks for your investigation!

oyyd added a commit to oyyd/node that referenced this pull request Oct 28, 2018
Setting the TLS ServerName to an IP address is not permitted by
RFC6066. This will be ignored in a future version.

Closes: nodejs#18071
Refs: nodejs#18127
oyyd pushed a commit that referenced this pull request Nov 15, 2018
Setting the TLS ServerName to an IP address is not permitted by
RFC6066. This will be ignored in a future version.

Refs: #18127

PR-URL: #23329
Fixes: #18071
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Sakthipriyan Vairamani <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants