You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using a fully qualified domain name like google.com. (note the trailing dot), reqwest uses the provided domain in verbatim when comparing the common name of the certificate (CN).
For example, this:
let text = reqwest::get("https://google.com.").await.unwrap().text().await.unwrap();
Errors like this on my machine using native-tls:
reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("google.com.")), port: None, path: "/", query: None, fragment: None },
source: Error { kind: Connect, source: Some(Os { code: -2146762481, kind: Uncategorized, message: "The certificate's CN name does not match the passed value." }) } }
A trailing dot should be semantically equivalent in DNS, but hardly anybody issues certificates with a CN including them. It might be appropriate to do like most browsers and filter such domains by ignoring the trailing dot when doing the CN comparison.
The text was updated successfully, but these errors were encountered:
udoprog
changed the title
reqwest using a verbatim CN when establishing a TLS connection when filtering might be appropriate
Using a verbatim common name including a trailing dot when establishing a TLS connection causes certificate issues
Apr 14, 2024
When using a fully qualified domain name like
google.com.
(note the trailing dot), reqwest uses the provided domain in verbatim when comparing the common name of the certificate (CN).For example, this:
Errors like this on my machine using native-tls:
A trailing dot should be semantically equivalent in DNS, but hardly anybody issues certificates with a CN including them. It might be appropriate to do like most browsers and filter such domains by ignoring the trailing dot when doing the CN comparison.
This seems to be the behavior of
requests
.It might also be interesting to read Mozzila's position on the matter.
The text was updated successfully, but these errors were encountered: