Hey DM,

I've been hitting my webserver using an IPv6 address, and I'm getting a 400 response:

curl -vkI https://"\[2001:8003:4c06:5742:f1d0:3:279:1fd\]"

* Connected to 2001:8003:4c06:5742:f1d0:3:279:1fd (2001:8003:4c06:5742:f1d0:3:279:1fd) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=bbs.leenooks.net
* start date: Aug 13 11:50:52 2020 GMT
* expire date: Nov 11 11:50:52 2020 GMT
* common name: bbs.leenooks.net
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US

HEAD / HTTP/1.1
User-Agent: curl/7.29.0
Host: [2001:8003:4c06:5742:f1d0:3:279:1fd]
Accept: */*

< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request

But if I use a hostname, I get the 200.

I'm thinking the is_legal_hostname() test in webserver.c probably needs to test for '[]' ?

...����

... Between two evils, I always pick the one I never tried before.

---
� Synchronet � Alterant | an SBBS in Docker on Pi!

Re: webserver
By: alterego to Digital Man on Sun Oct 11 2020 04:50 pm

Hey DM,

I've been hitting my webserver using an IPv6 address, and I'm getting a 400 response:

curl -vkI https://"\[2001:8003:4c06:5742:f1d0:3:279:1fd\]"

* Connected to 2001:8003:4c06:5742:f1d0:3:279:1fd (2001:8003:4c06:5742:f1d0:3:279:1fd) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=bbs.leenooks.net
* start date: Aug 13 11:50:52 2020 GMT
* expire date: Nov 11 11:50:52 2020 GMT
* common name: bbs.leenooks.net
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US

HEAD / HTTP/1.1
User-Agent: curl/7.29.0
Host: [2001:8003:4c06:5742:f1d0:3:279:1fd]
Accept: */*

< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request

But if I use a hostname, I get the 200.

I'm thinking the is_legal_hostname() test in webserver.c probably needs to test for '[]' ?

[] is not a valid hostname. I suspect it's because of https and the certificate verification. Did you try just using http (not https)?

digital man

This Is Spinal Tap quote #44:
It really, it does disturb me, but i'll rise above it; I'm a professional. Norco, CA WX: 62.3�F, 88.0% humidity, 1 mph ESE wind, 0.00 inches rain/24hrs

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

Re: webserver
By: Digital Man to alterego on Sat Oct 10 2020 11:38 pm

[] is not a valid hostname. I suspect it's because of https and the certificate verification. Did you try just using http (not https)?

Its valid when using an IPV6 address syntax though.

And yes, its not certificate related - hence the -k switch to curl. (And yes it exhibits the same issue with http://)

(If I make up a fake name in /etc/hosts, and curl -vkI https://fakename - I get a 200, and the certificate is definately not valid for fakename).

...����

... Pros are those who do their jobs well, even when they don't feel like it.

---
� Synchronet � Alterant | an SBBS in Docker on Pi!

Re: webserver
By: alterego to Digital Man on Mon Oct 12 2020 09:08 am

Re: webserver
By: Digital Man to alterego on Sat Oct 10 2020 11:38 pm

[] is not a valid hostname. I suspect it's because of https and the certificate verification. Did you try just using http (not https)?

Its valid when using an IPV6 address syntax though.

An IP address is not a hostname. That said, I don't know why a valid hostname is being tested for.

And yes, its not certificate related - hence the -k switch to curl. (And yes it exhibits the same issue with http://)

(If I make up a fake name in /etc/hosts, and curl -vkI https://fakename - I get a 200, and the certificate is definately not valid for fakename).

Interesting.

digital man

Rush quote #41:
Angels and demons dancing in my head, lunatics and monsters underneath my bed Norco, CA WX: 73.3�F, 62.0% humidity, 5 mph ENE wind, 0.00 inches rain/24hrs

---
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net