Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make dns_hostname optional to disable verify #1907

Merged
merged 2 commits into from Mar 19, 2023
Merged

Make dns_hostname optional to disable verify #1907

merged 2 commits into from Mar 19, 2023

Conversation

mokeyish
Copy link
Contributor

@mokeyish mokeyish commented Mar 16, 2023
edited

An Https service can optionally verify the server_name(dns_hostname), only the certificate and certificate-key are required.

@mokeyish
Copy link
Contributor Author

@bluejekyll Do you have time to review this?

@bluejekyll
Copy link
Member

An Https service can optionally verify the server_name(dns_hostname), only the certificate and certificate-key are required.

Would you mind finding a link to this in the RFC? I thought a name was always required, I could be wrong.

@bluejekyll
Copy link
Member

Also, it would be great if there were a test validating this functionality, the TLS libraries can get finicky when things like this change.

@mokeyish
Copy link
Contributor Author

Also, it would be great if there were a test validating this functionality, the TLS libraries can get finicky when things like this change.

There is no actual RFC. This dns_hostname (SNI) is mainly for client verification. Https server verification is based on mood (optional), and it is judged whether it is consistent with the HOST in the Http Header. TLS is completely unnecessary and thus has nothing to do with the TLS library.

@mokeyish
Copy link
Contributor Author

The hostname is not passed to register_tls_listener here.

https://github.com/bluejekyll/trust-dns/blob/912c0b0a0730f0c8212b5fe43b2ef510e6f4ad21/bin/src/trust-dns.rs#L548-L552

bluejekyll
bluejekyll approved these changes Mar 19, 2023
View reviewed changes
Copy link
Member

@bluejekyll bluejekyll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, this looks good. Thanks for answering the questions.

@bluejekyll bluejekyll merged commit 0f55934 into hickory-dns:main Mar 19, 2023
@mokeyish mokeyish deleted the optional_dns_hostname_verify branch March 20, 2023 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluejekyll bluejekyll bluejekyll approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mokeyish @bluejekyll