Skip to content

Commit d6decf2

Browse files
tls: fix IPv6 hostname verification regression
The previous normalization logic applied domainToASCII() to all hostnames, which returns an empty string for raw IPv6 addresses. This caused the IP SAN check to be skipped and verification to incorrectly fall back to domain matching. This patch moves the IP address check before any IDNA conversion, ensuring IPv6 (and IPv4) addresses are compared directly against the certificate's IP Subject Alternative Names. Adds regression tests for IPv6 SAN verification. Fixes: #64032 Signed-off-by: Paraspandey-debugs <p.pandey250806@gmail.com>
1 parent b087e92 commit d6decf2

2 files changed

Lines changed: 24 additions & 3 deletions

File tree

lib/tls.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -336,7 +336,7 @@ function check(hostParts, pattern, wildcards) {
336336
// RFC 6125 does not allow wildcard substitution for components
337337
// containing IDNA A-labels (Punycode) so match those verbatim.
338338
if (patternSubdomainParts.length === 1 ||
339-
patternSubdomain.includes('xn--'))
339+
patternSubdomain.includes('xn--'))
340340
return hostSubdomain === patternSubdomain;
341341

342342
if (!wildcards)
@@ -409,11 +409,11 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
409409
const ips = [];
410410

411411
hostname = '' + hostname;
412-
const hostnameASCII = domainToASCII(hostname);
413412

414413
// Remove trailing dots for error messages and matching.
415414
hostname = unfqdn(hostname);
416-
const hostnameASCIIWithoutFQDN = unfqdn(hostnameASCII);
415+
const hostnameASCIIWithoutFQDN = net.isIP(hostname) ?
416+
hostname : domainToASCII(hostname);
417417

418418
if (altNames) {
419419
const splitAltNames = altNames.includes('"') ?

test/parallel/test-tls-check-server-identity.js

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -404,6 +404,27 @@ const tests = [
404404
error: 'Host: xn--bcher-kva.example.com. is not cert\'s CN: ' +
405405
'xn--*.example.com',
406406
},
407+
// IPv6 addresses
408+
{
409+
host: '::1', cert: {
410+
subjectaltname: 'IP Address:0:0:0:0:0:0:0:1',
411+
subject: {}
412+
}
413+
},
414+
{
415+
host: '::1', cert: {
416+
subjectaltname: 'IP Address:127.0.0.1',
417+
subject: {}
418+
},
419+
error: 'IP: ::1 is not in the cert\'s list: ' +
420+
'127.0.0.1'
421+
},
422+
{
423+
host: '2001:db8::1', cert: {
424+
subjectaltname: 'IP Address:2001:0DB8:0000:0000:0000:0000:0000:0001',
425+
subject: {}
426+
}
427+
},
407428
];
408429

409430
tests.forEach(function(test, i) {

0 commit comments

Comments
 (0)