if net.ParseIP(host) != nil {
return ""
}
- if len(name) > 0 && name[len(name)-1] == '.' {
+ for len(name) > 0 && name[len(name)-1] == '.' {
name = name[:len(name)-1]
}
return name
package tls
-import "bytes"
+import (
+ "bytes"
+ "strings"
+)
type clientHelloMsg struct {
raw []byte
}
if nameType == 0 {
m.serverName = string(d[:nameLen])
+ // An SNI value may not include a
+ // trailing dot. See
+ // https://tools.ietf.org/html/rfc6066#section-3.
+ if strings.HasSuffix(m.serverName, ".") {
+ return false
+ }
break
}
d = d[nameLen:]
"bytes"
"math/rand"
"reflect"
+ "strings"
"testing"
"testing/quick"
)
}
if rand.Intn(10) > 5 {
m.serverName = randomString(rand.Intn(255), rand)
+ for strings.HasSuffix(m.serverName, ".") {
+ m.serverName = m.serverName[:len(m.serverName)-1]
+ }
}
m.ocspStapling = rand.Intn(10) > 5
m.supportedPoints = randomBytes(rand.Intn(5)+1, rand)
testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
}
+func TestRejectSNIWithTrailingDot(t *testing.T) {
+ testClientHelloFailure(t, testConfig, &clientHelloMsg{vers: VersionTLS12, serverName: "foo.com."}, "unexpected message")
+}
+
func TestDontSelectECDSAWithRSAKey(t *testing.T) {
// Test that, even when both sides support an ECDSA cipher suite, it
// won't be selected if the server's private key doesn't support it.