© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
> Test with an IP address should not send SNI per the patch,
> so it should fail with the certificate verification error:
just to clarify as I was not clear at first:
-with <TLSv1.3, the client did not send and the server did not require SNI
-with =>TLSv1.3, some servers (as listed in description, e.g. gmail) require SNI
-if the client is accessing the server via DNS name, it provides SNI
-if the client is accessing the server via IP address, it does not provide SNI
So this means the servers that require SNI when using TLSv1.3 can not (any longer?) be accessed by their direct ip address, their hostname *must* be used.
questions:
1) did access by IP address used to work, before updating to TLSv1.3?
2) if direct IP address used to work before, does the code need to do a fallback to pre-TLSv1.3 for servers that require SNI but are being accessed by IP address?
I have sponsored this to e, d, and b, as it seems to be doing the right thing based on the RFC:
https:/
as discussed in previous comments.
But, I think the regression potential should be considered in case direct IP address access worked before (i.e. before the update to openssl 1.1.1), but isn't restored by this patch. At minimum it should be listed in the regression potential section of the description.
Thanks!