Comments (11)
Also if I read correctly, ::192.168.0.1 is now a deprecated form "IPv4-Compatible IPv6 Address". https://datatracker.ietf.org/doc/html/rfc4291#section-2.5.5.1
While "IPv4-Mapped IPv6 Address" would be ::FFFF:192.168.0.1
from okhttp.
OK, so we are doing this for "IPv4-Mapped IPv6 Address", I want to double check that.
canonicalizeInetAddress
and isMappedIpv4Address
But we aren't for the deprecated "IPv4-Compatible IPv6 Address".
from okhttp.
I can't find examples of servers with IP Addresses that are exposed on the IPv4 mapped IPv6 address also.
PS C:\Users\yuri> curl https://[::1.1.1.1]/
curl: (7) Failed to connect to ::1.1.1.1 port 443 after 0 ms: Couldn't connect to server
PS C:\Users\yuri> curl https://[::ffff:1.1.1.1]/
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
If we were meant to convert to the IPv4 address I think curl above would succeed.
Looking at https://crt.sh/?q=63e7d22b2c577656fda31462799d86cb725da7112c7f59b42615b0f96ac3c348
X509v3 Subject Alternative Name:
DNS:cloudflare-dns.com
DNS:*.cloudflare-dns.com
DNS:one.one.one.one
IP Address:1.0.0.1
IP Address:1.1.1.1
IP Address:162.159.36.1
IP Address:162.159.46.1
IP Address:2606:4700:4700:0:0:0:0:1001
IP Address:2606:4700:4700:0:0:0:0:1111
IP Address:2606:4700:4700:0:0:0:0:64
IP Address:2606:4700:4700:0:0:0:0:6400
from okhttp.
Thanks for your detailed comments! If I understand correctly, "IPv4 compatible IPv6 address" is no longer used in DNS resolution or certificates, so it would be "safe" to not correctly normalise this? If so, I can just remove these from the unit tests.
We are using this function for client side hostname verifier, so we wanted to make sure this does not affect any users.
from okhttp.
Yeah good call. This looks like a bug!
from okhttp.
[edit]
I think spec might be
https://datatracker.ietf.org/doc/html/rfc6125
3.1.3.2. Comparison of IP Addresses
When the reference identity is an IP address, the identity MUST be
converted to the "network byte order" octet string representation
[IP] [IPv6]. For IP Version 4, as specified in RFC 791, the octet
string will contain exactly four octets. For IP Version 6, as
specified in RFC 2460, the octet string will contain exactly sixteen
octets. This octet string is then compared against subjectAltName
values of type iPAddress. A match occurs if the reference identity
octet string and value octet strings are identical.
from okhttp.
I think curl agrees. https://github.com/curl/curl/blob/0f4c19b66ad5c646ebc3c4268a0f3ad9c15bf57c/lib/vtls/openssl.c#L2222
from okhttp.
Listing where an why we use this
OkHostnameVerifier - to verify IP address matches according to RFC-6125
CertificatePinner - to check against IP
Cookie - domain
Route.toString
HttpUrl - decoding and setting host
If we change for HttpUrl and route, we may need to leave hostname verification and certificate pinning as is.
from okhttp.
I think JDK also doesn't normalise these for certificates. So I'm tempted to we should do less canonicalisation/normalisation here.
from okhttp.
Chrome/Brave also fails
from okhttp.
Yep - but I think you've pointed out that we do too much, rather than not enough.
from okhttp.
Related Issues (20)
- Unable to parse TLS packet header exception when using specific socks5 proxys HOT 1
- Potential failure on CallServerInterceptor if writeRequestHeader fails HOT 1
- Virtual thread pinning with 5.0.0-alpha.12 HOT 5
- Websocket connection failing few seconds after getting connected HOT 1
- How to cleanly pin a network HOT 1
- Dependency convergence issue with kotlin-stdlib-jdk8 (via okio) HOT 8
- Documentation: Is it possible to update the comment with more info HOT 1
- Check Cache headers against spec
- IllegalStateException: closed : HttpLoggingInterceptor.kt:248 HOT 1
- MockWebServer Dispatcher bug HOT 1
- Multiple async request do not store anything to cache HOT 1
- Add a means to reset Postponed Routes HOT 3
- Lets changes our OkHttp 5 async DNS APIs HOT 3
- Test MockWebServer with Loom
- Review tests failing on windows HOT 1
- The request body data added in the NetworkInterceptor was found not included in the capture by Charles. HOT 1
- The request body data added in the NetworkInterceptor was found not included in the capture by Charles
- Gzip/Deflate/Bortli not workin okhttp3 4.12.0/5.0.0-alpha12 HOT 5
- DiskLruCache entry?.currentEditor is allways not null for async requests HOT 1
- Documentation: Clearly state that OkHttpClient should be a singleton HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from okhttp.