New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
toCanonicalHost() #8223
Comments
Yeah good call. This looks like a bug! |
[edit] I think spec might be https://datatracker.ietf.org/doc/html/rfc6125
|
Listing where an why we use this OkHostnameVerifier - to verify IP address matches according to RFC-6125 If we change for HttpUrl and route, we may need to leave hostname verification and certificate pinning as is. |
Also if I read correctly, ::192.168.0.1 is now a deprecated form "IPv4-Compatible IPv6 Address". https://datatracker.ietf.org/doc/html/rfc4291#section-2.5.5.1 While "IPv4-Mapped IPv6 Address" would be ::FFFF:192.168.0.1 |
OK, so we are doing this for "IPv4-Mapped IPv6 Address", I want to double check that.
But we aren't for the deprecated "IPv4-Compatible IPv6 Address". |
I think JDK also doesn't normalise these for certificates. So I'm tempted to we should do less canonicalisation/normalisation here. |
I can't find examples of servers with IP Addresses that are exposed on the IPv4 mapped IPv6 address also.
If we were meant to convert to the IPv4 address I think curl above would succeed. Looking at https://crt.sh/?q=63e7d22b2c577656fda31462799d86cb725da7112c7f59b42615b0f96ac3c348
|
Thanks for your detailed comments! If I understand correctly, "IPv4 compatible IPv6 address" is no longer used in DNS resolution or certificates, so it would be "safe" to not correctly normalise this? If so, I can just remove these from the unit tests. |
Yep - but I think you've pointed out that we do too much, rather than not enough. |
hi, I have written a unit test for toCanonicalHost() function which is used in hostname verifier, and was wondering if this is expected result. These IP addresses are used in existing unit tests so I believe they are valid addresses.
For IPv6 representation of IPv4 addresses toCanonicalHost() converts IPv4 to hex value and I am not sure if this is expected behavior.
I would expect
assertThat(toCanonicalHost("::192.168.0.1").equals("192.168.0.1")).isTrue();
not
assertThat(toCanonicalHost("::192.168.0.1").equals("::c0a8:1")).isTrue();
If there is a RFC regarding this that I am missing please let me know and ignore this. Thanks!
The text was updated successfully, but these errors were encountered: