Commit d6decf2
committed
tls: fix IPv6 hostname verification regression
The previous normalization logic applied domainToASCII() to all hostnames,
which returns an empty string for raw IPv6 addresses. This caused the IP SAN
check to be skipped and verification to incorrectly fall back to domain
matching. This patch moves the IP address check before any IDNA conversion,
ensuring IPv6 (and IPv4) addresses are compared directly against the
certificate's IP Subject Alternative Names.
Adds regression tests for IPv6 SAN verification.
Fixes: #64032
Signed-off-by: Paraspandey-debugs <p.pandey250806@gmail.com>1 parent b087e92 commit d6decf2
2 files changed
Lines changed: 24 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
336 | 336 | | |
337 | 337 | | |
338 | 338 | | |
339 | | - | |
| 339 | + | |
340 | 340 | | |
341 | 341 | | |
342 | 342 | | |
| |||
409 | 409 | | |
410 | 410 | | |
411 | 411 | | |
412 | | - | |
413 | 412 | | |
414 | 413 | | |
415 | 414 | | |
416 | | - | |
| 415 | + | |
| 416 | + | |
417 | 417 | | |
418 | 418 | | |
419 | 419 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
404 | 404 | | |
405 | 405 | | |
406 | 406 | | |
| 407 | + | |
| 408 | + | |
| 409 | + | |
| 410 | + | |
| 411 | + | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
| 420 | + | |
| 421 | + | |
| 422 | + | |
| 423 | + | |
| 424 | + | |
| 425 | + | |
| 426 | + | |
| 427 | + | |
407 | 428 | | |
408 | 429 | | |
409 | 430 | | |
| |||
0 commit comments