Skip to content

[client] set TLS ServerName for hostname-based QUIC connections #3673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 5, 2025
Merged

[client] set TLS ServerName for hostname-based QUIC connections #3673

merged 2 commits into from
May 5, 2025

Conversation

alindt
Copy link
Contributor

@alindt alindt commented Apr 14, 2025

This sets ServerName in the TLS config when using hostnames to fix the validation.

Issue ticket number and link

Potentially fixes #3672

Stack

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

@CLAassistant
Copy link

CLAassistant commented Apr 14, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@alindt alindt force-pushed the quic-tls-hostname-fix branch from 26963b5 to 2fce2ad Compare April 14, 2025 10:00
@alindt alindt changed the title fix: set TLS ServerName for hostname-based QUIC connections [client] set TLS ServerName for hostname-based QUIC connections Apr 14, 2025
@pappz pappz self-requested a review April 14, 2025 10:15
@pappz
Copy link
Contributor

pappz commented Apr 14, 2025

The URL may not have a port number in the URL string. Could you support this scenario too?

@alindt
Copy link
Contributor Author

alindt commented Apr 14, 2025

@pappz Done.

@pappz
Copy link
Contributor

pappz commented Apr 15, 2025

@alindt
Modifying the prepareURL function is a little bit risky. We will lose the URL path.

I recommend that you create a function that figures out the serverName from the given URL string properly. I take a quick look to the WS package, the first step is the URL string will be converted to URL type and after that the net.SplitHostPort

@alindt
Copy link
Contributor Author

alindt commented Apr 15, 2025

@pappz I don't understand what you mean by "losing the URL path".

The only way the QUIC dialer uses quicURL is as a parameter for net.ResolveUDPAddr() which expects a host[:port] string, which is exactly what my changed prepareURL (still) does.

The only change is in appending the default ports as per your request, meaning it will always include a :port part.

Sorry, am I missing something?

alindt added 2 commits April 15, 2025 12:43
@alindt
fix: set TLS ServerName for hostname-based QUIC connections
93ca626 
When connecting to a relay server by hostname, certificates are
validated against the IP address instead of the hostname.
This change sets ServerName in the TLS config when connecting
via hostname, ensuring proper certificate validation.
@alindt
use default port if port is missing in URL string
93ce649
@alindt alindt force-pushed the quic-tls-hostname-fix branch from 6a11d67 to 93ce649 Compare April 15, 2025 10:48
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@pappz
Copy link
Contributor

pappz commented Apr 15, 2025

You are right. I mixed the things a little bit. I take a look again.

@B08Z
Copy link

B08Z commented Apr 20, 2025

You are right. I mixed the things a little bit. I take a look again.

Any update on if this will be pulled in.

I think it's stopping my clients connecting to relay using quic

@pappz pappz merged commit ffdd115 into netbirdio:main May 5, 2025
31 of 32 checks passed
@alindt alindt deleted the quic-tls-hostname-fix branch May 5, 2025 11:04
@alindt alindt mentioned this pull request May 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pappz pappz pappz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

QUIC dialer fails with "doesn't contain any IP SANs" when connecting to relay hostname
4 participants
@alindt @CLAassistant @pappz @B08Z