-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http: servername === false
should disable SNI
#27316
Conversation
There is no way to disable SNI extension when sending a request to HTTPS server. Setting `options.servername` to a falsy value would make Node.js core override it with either hostname or ip address. This change introduces a way to disable SNI completely if this is required for user's application. Setting `options.servername` to `false` in `https.request` would disable overrides and thus disable the extension.
cc @nodejs/http @nodejs/crypto |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. (though I did not have this use case, it is plausible and would have simplified my testing)
Thank you for review everyone! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM but one nit re: documentation.
doc/api/https.md
Outdated
@@ -29,6 +29,10 @@ An [`Agent`][] object for HTTPS similar to [`http.Agent`][]. See | |||
Can have the same fields as for [`http.Agent(options)`][], and | |||
* `maxCachedSessions` {number} maximum number of TLS cached sessions. | |||
Use `0` to disable TLS session caching. **Default:** `100`. | |||
* `servername` {string | boolean} the value of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Boolean might be slightly misleading? It's really {string | false}
since setting it to true
won't do what one might expect...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Beware that false
will be the only type case here and will baffle doc tools (tools/doc/type-parser.js
will throw).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was exactly my reasoning. We might want to use null
as @bnoordhuis has suggested to fix this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM % nits others pointed out.
Observation: I don't think you can conclude from the test that no SNI extension is sent, just that the user's code doesn't set it explicitly. Maybe add a { SNICallback: cb }
to the server's options object to verify?
Question: isn't null
a better value than false
for the opt-out when true
doesn't work?
@bnoordhuis I think the test verifies it very well. The Is there a common practice for falsey values that we try to follow in core? In this PR's case - there are three possible types of values @vsemozhetbyt @apapirovski @srl295 @lpinca @BridgeAR may I ask y'all for an opinion on the topic? |
Not that I am aware of. Using Using I can not think of any API that only accepts Thus, I personally would go with either an empty string or |
I agree that an empty string and/or https://tools.ietf.org/html/rfc6066#section-3 doesn't allow zero-length server names, so an empty string is not a valid value, and attempting to set one will error with SSL_R_SSL3_EXT_INVALID_SERVERNAME if a string of length zero is passed to |
593faf5
to
1abce92
Compare
Alright, updated the PR to use |
There is no way to disable SNI extension when sending a request to HTTPS server. Setting `options.servername` to a falsy value would make Node.js core override it with either hostname or ip address. This change introduces a way to disable SNI completely if this is required for user's application. Setting `options.servername` to `` in `https.request` would disable overrides and thus disable the extension. PR-URL: nodejs#27316 Reviewed-By: Steven R Loomis <srloomis@us.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Landed in 98e9de7 |
There is no way to disable SNI extension when sending a request to HTTPS server. Setting `options.servername` to a falsy value would make Node.js core override it with either hostname or ip address. This change introduces a way to disable SNI completely if this is required for user's application. Setting `options.servername` to `` in `https.request` would disable overrides and thus disable the extension. PR-URL: #27316 Reviewed-By: Steven R Loomis <srloomis@us.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
There is no way to disable SNI extension when sending a request to HTTPS
server. Setting
options.servername
to a falsy value would make Node.jscore override it with either hostname or ip address.
This change introduces a way to disable SNI completely if this is
required for user's application. Setting
options.servername
tofalse
in
https.request
would disable overrides and thus disable theextension.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes