net-http-persistent icon indicating copy to clipboard operation
net-http-persistent copied to clipboard

Published 20 hours ago verified publisher icon drbrain

Auto-reconnection does not work on SNI

Open dissolve opened this issue 11 years ago • 5 comments

When I establish a connection to a site that uses SNI (and the key returned by the request is not usable) and then try to re-use that connection after 300 seconds, I get an error that the certificate does not match the hostname. Watching from wireshark confirmed, that on the initial request the certificate for *.shanske.com is returned, however after 5 minutes, the certificate for weneca.com is returned (the server's main key, same as would be returned without SNI). So it would seem that the reconnection is not including the hostname.

To reproduce

require 'net/http/persistent'
http = Net::HTTP::Persistent.new
uri = URI 'https://david.shanske.com'
response = http.request uri
sleep 310 
response = http.request uri

OpenSSL::SSL::SSLError: hostname "david.shanske.com" does not match the server certificate
        from /usr/lib64/ruby/2.1.0/openssl/ssl.rb:139:in `post_connection_check'
        from /usr/lib64/ruby/2.1.0/net/http.rb:922:in `connect'
        from /usr/lib64/ruby/2.1.0/net/http.rb:863:in `do_start'
        from /usr/lib64/ruby/2.1.0/net/http.rb:858:in `start'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:700:in `start'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:965:in `reset'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:628:in `connection_for'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:994:in `request'

dissolve avatar Nov 01 '14 20:11 dissolve

This is a ruby bug:

require 'net/http'
uri = URI 'https://david.shanske.com'

Net::HTTP.start uri.hostname, uri.port, use_ssl: true do |http|
  req = Net::HTTP::Get.new uri
  response = http.request req
  p response.code
  sleep 310
  req = Net::HTTP::Get.new uri
  response = http.request req
  p response.code
end

$ ruby test.rb
"200"
/usr/local/lib/ruby/2.1.0/openssl/ssl.rb:139:in `post_connection_check': hostname "david.shanske.com" does not match the server certificate (OpenSSL::SSL::SSLError)
        from /usr/local/lib/ruby/2.1.0/net/http.rb:922:in `connect'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:1447:in `begin_transport'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:1404:in `transport_request'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:1378:in `request'
        from test.rb:10:in `block in <main>'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:853:in `start'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:583:in `start'
        from test.rb:4:in `<main>'

drbrain avatar Nov 21 '14 02:11 drbrain

I have created Bug #10533 and will work on a fix there.

drbrain avatar Nov 21 '14 03:11 drbrain

The bug is due to session resumption. I'll see what I can do to patch it via net-http-persistent until a release with the patch to Net::HTTP is available.

drbrain avatar Nov 21 '14 23:11 drbrain

Just got bitten hard by this issue :) Any progress on a workaround?

mariusmarais avatar Nov 10 '15 18:11 mariusmarais

Any progress on this issue?

EDIT: This issue may no longer be relevant: https://github.com/drbrain/net-http-persistent/blob/master/lib/net/http/persistent/ssl_reuse.rb

lukad03 avatar Jul 19 '16 01:07 lukad03