diff options
| author | jsing <> | 2021-11-01 16:37:17 +0000 | 
|---|---|---|
| committer | jsing <> | 2021-11-01 16:37:17 +0000 | 
| commit | 29acda326d204926a29dc59b3fee2491ab5d5b5d (patch) | |
| tree | a3c71ae24931ccb437c44d27f9d1ed00b1095976 /src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 | |
| parent | 982e376a22bde30e77367c1b36dd6ce644fb6c9e (diff) | |
| download | openbsd-29acda326d204926a29dc59b3fee2491ab5d5b5d.tar.gz openbsd-29acda326d204926a29dc59b3fee2491ab5d5b5d.tar.bz2 openbsd-29acda326d204926a29dc59b3fee2491ab5d5b5d.zip | |
Improve SNI hostname validation.
For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.
Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).
ok inoguchi@ tb@
Diffstat (limited to 'src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3')
0 files changed, 0 insertions, 0 deletions
