Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure port isn't included in SNI hostname #76

Merged
merged 2 commits into from
Feb 26, 2025
Merged

Ensure port isn't included in SNI hostname #76

merged 2 commits into from
Feb 26, 2025

Conversation

glbrntt
Copy link
Collaborator

@glbrntt glbrntt commented Feb 26, 2025

Motivation:

gRPC derives the authority from various sources and uses this value for the SNI server hostname. The authority should include non-standard ports and the SNI hostname must not include the port. In some cases this wasn't being respected and the port was being used in SNI this results in handshake failures.

Modifications:

  • Have the Connection sanitize the authority so that it's suitable for SNI.

Result:

@glbrntt
Ensure port isn't included in SNI hostname
76b863a 
Motivation:

gRPC derives the authority from various sources and uses this value for
the SNI server hostname. The authority should include non-standard
ports and the SNI hostname must not include the port. In some cases this
wasn't being respected and the port was being used in SNI this results
in handshake failures.

Modifications:

- Have the Connection sanitize the authority so that it's suitable for
  SNI.

Result:

- Fewer handshake failures
- Resolves grpc#71
@glbrntt glbrntt added the 🔨 semver/patch No public API change. label Feb 26, 2025
@glbrntt glbrntt requested a review from gjcairo February 26, 2025 08:06
gjcairo
gjcairo reviewed Feb 26, 2025
View reviewed changes
Tests/GRPCNIOTransportCoreTests/Client/Connection/ConnectionTests.swift
)

try await self.testAuthorityIsSanitized(
authority: "foo.example-31415",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this would be a valid authority name (not sure if there are rules around the SNI format), but could we test that something with a colon like foo.example:a123 would not strip what comes after the colon?

@glbrntt glbrntt requested a review from gjcairo February 26, 2025 13:56
@glbrntt glbrntt merged commit b07aa65 into grpc:main Feb 26, 2025
26 of 28 checks passed
@glbrntt glbrntt deleted the sni-port branch February 26, 2025 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gjcairo gjcairo gjcairo approved these changes

Assignees
No one assigned
Labels
🔨 semver/patch No public API change.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Port can be incorrectly included in TLS SNI hostname
2 participants
@glbrntt @gjcairo