jfe icon indicating copy to clipboard operation
jfe copied to clipboard
verified publisher icon dakami

IP addresses aren't sent in SNI

Open ericlaw1979 opened this issue 9 years ago • 3 comments

Browsers shouldn't be sending an IP address in a SNI, and LetsEncrypt, as far as I know, should refuse to issue a certificate for an IP address.

ericlaw1979 avatar Nov 02 '16 21:11 ericlaw1979

Similar issue if the client requests an unqualified hostname (no dots)?

ericlaw1979 avatar Nov 02 '16 21:11 ericlaw1979

Ah, I sort of assumed these would be covered by the regex. They're not?

dakami avatar Nov 03 '16 18:11 dakami

Regex's are hard to read. :)

^((?!-)[A-Za-z0-9-]{1,63}(?<!-).)+[A-Za-z]{2,6}$ does indeed reject both of those cases, although it does mean that you cannot use an IP address to access the site.

The regex (arguably incorrectly) allows "538.com" and disallows "www.something.bargains"

ericlaw1979 avatar Dec 01 '16 21:12 ericlaw1979