-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: emit a warning when servername is an IP address #18127
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to have a regression test for this.
lib/_tls_wrap.js
Outdated
process.emitWarning( | ||
'Setting the TLS ServerName to an IP address is not supported by ' + | ||
'RFC6066. This will be ignored in a future version.', | ||
'UnsupportedWarning' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you emit 'DeprecationWarning'
plus a DEPxxxx code here? The code needs to be added to doc/api/deprecations.md
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a note, making this a DeprecationWarning would make this semver-major
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little out of my depth here with regards to both node's deprecation and its versioning semantics.
Depending on what level the "drop hostname on IP" thing ultimately ends up at (could be here; could be tls.js?), I'm not sure this makes sense to consider a "deprecation" per se? Most if not all existing external users should see the warning for a version, then see it silently go away with no change necessary in a future version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the sentence This will be ignored in a future version.
implies that it is a deprecation. Making it a DeprecationWarning
gives us a proper documentation for the behavior change.
Also this reminds me, can you add a entry to the changes
YAML field in the documentation of tls.connect
? Note that in PRs the version
field should be REPLACEME
.
lib/_tls_wrap.js
Outdated
@@ -1138,8 +1140,17 @@ exports.connect = function(...args /* [port,] [host,] [options,] [cb] */) { | |||
if (options.session) | |||
socket.setSession(options.session); | |||
|
|||
if (options.servername) | |||
if (options.servername) { | |||
if (ipServernameWarned === false && net.isIP(options.servername)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using !ipServernameWarned
instead of ipServernameWarned === false
might be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a quick note here that may be worth noting in the docs... the net.isIP()
function returns 0 if an ipv6 address is given with the surrounding [
]
... e.g. net.isIP('[fe80::a00:27ff:fec0:eb1a]') === 0
. This is, of course, correct because the square brackets are not actually a part of the address, but it could catch some users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I went with === false
to match an existing one-time warning (dunno if it optimizes slightly better or what); I can switch to !
if you prefer.
url.parse('https://[fe80::a00:27ff:fec0:eb1a]:3333/')
, for instance, fills hostname
with fe80::a00:27ff:fec0:eb1a
(bracketless), and if you manually build a URL with brackets around an IPv6 address in hostname
, https.get()
on it fails on DNS lookup, so I think we should be fine there?
Ping @rcombs |
Rebased and made the requested style change. I don't know how to add regression tests or how to handle deprecation rules, so if someone who does wants to take this that'd be 👍. |
You can use |
Ping @rcombs |
Ping @rcombs - do you still want to follow up? |
Sorry, I haven't had a chance to get around to this. I'm not sure I'm really the best person to go through the internal process for this (and then follow it up in the next release). |
If you mean back-porting, that's usually taken care of by collaborators. |
I meant removing the warning and changing the behavior. |
Oh, I can open an issue for that once this PR lands. |
@rcombs I would love to land this but it still needs a test. I am not sure if your former comment was about adding a test or not. Do you think you get the time to address that? :-) |
I am closing this due to no further progress. @rcombs please feel free to leave a comment if you would like to work on this again to add a test or open a new PR. |
Setting the TLS ServerName to an IP address is not permitted by RFC6066. This will be ignored in a future version. Closes: nodejs#18071 Refs: nodejs#18127
Setting the TLS ServerName to an IP address is not permitted by RFC6066. This will be ignored in a future version. Refs: #18127 PR-URL: #23329 Fixes: #18071 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Sakthipriyan Vairamani <[email protected]>
Refs: #18071
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)
tls