tls: emit a warning when servername is an IP address #18127
Conversation
lib/_tls_wrap.js
Outdated
| process.emitWarning( | ||
| 'Setting the TLS ServerName to an IP address is not supported by ' + | ||
| 'RFC6066. This will be ignored in a future version.', | ||
| 'UnsupportedWarning' |
There was a problem hiding this comment.
Can you emit 'DeprecationWarning' plus a DEPxxxx code here? The code needs to be added to doc/api/deprecations.md.
There was a problem hiding this comment.
Just a note, making this a DeprecationWarning would make this semver-major
There was a problem hiding this comment.
I'm a little out of my depth here with regards to both node's deprecation and its versioning semantics.
Depending on what level the "drop hostname on IP" thing ultimately ends up at (could be here; could be tls.js?), I'm not sure this makes sense to consider a "deprecation" per se? Most if not all existing external users should see the warning for a version, then see it silently go away with no change necessary in a future version.
There was a problem hiding this comment.
I think the sentence This will be ignored in a future version. implies that it is a deprecation. Making it a DeprecationWarning gives us a proper documentation for the behavior change.
Also this reminds me, can you add a entry to the changes YAML field in the documentation of tls.connect? Note that in PRs the version field should be REPLACEME.
lib/_tls_wrap.js
Outdated
| @@ -1138,8 +1140,17 @@ exports.connect = function(...args /* [port,] [host,] [options,] [cb] */) { | |||
| if (options.session) | |||
| socket.setSession(options.session); | |||
|
|
|||
| if (options.servername) | |||
| if (options.servername) { | |||
| if (ipServernameWarned === false && net.isIP(options.servername)) { | |||
There was a problem hiding this comment.
Using !ipServernameWarned instead of ipServernameWarned === false might be better.
There was a problem hiding this comment.
Just a quick note here that may be worth noting in the docs... the net.isIP() function returns 0 if an ipv6 address is given with the surrounding [ ] ... e.g. net.isIP('[fe80::a00:27ff:fec0:eb1a]') === 0. This is, of course, correct because the square brackets are not actually a part of the address, but it could catch some users.
There was a problem hiding this comment.
I went with === false to match an existing one-time warning (dunno if it optimizes slightly better or what); I can switch to ! if you prefer.
url.parse('https://[fe80::a00:27ff:fec0:eb1a]:3333/'), for instance, fills hostname with fe80::a00:27ff:fec0:eb1a (bracketless), and if you manually build a URL with brackets around an IPv6 address in hostname, https.get() on it fails on DNS lookup, so I think we should be fine there?
|
Ping @rcombs |
|
Rebased and made the requested style change. I don't know how to add regression tests or how to handle deprecation rules, so if someone who does wants to take this that'd be 👍. |
|
You can use |
|
Ping @rcombs |
|
Ping @rcombs - do you still want to follow up? |
|
Sorry, I haven't had a chance to get around to this. I'm not sure I'm really the best person to go through the internal process for this (and then follow it up in the next release). |
|
If you mean back-porting, that's usually taken care of by collaborators. |
|
I meant removing the warning and changing the behavior. |
|
Oh, I can open an issue for that once this PR lands. |
|
@rcombs I would love to land this but it still needs a test. I am not sure if your former comment was about adding a test or not. Do you think you get the time to address that? :-) |
|
I am closing this due to no further progress. @rcombs please feel free to leave a comment if you would like to work on this again to add a test or open a new PR. |
Setting the TLS ServerName to an IP address is not permitted by RFC6066. This will be ignored in a future version. Closes: nodejs#18071 Refs: nodejs#18127
Setting the TLS ServerName to an IP address is not permitted by RFC6066. This will be ignored in a future version. Refs: #18127 PR-URL: #23329 Fixes: #18071 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Refs: #18071
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
tls