fix: have ssl handshake check hostname

GoogleCloudPlatform / alloydb-python-connector

A Python library for connecting securely to your AlloyDB instances.

Apache License 2.0

28 stars 7 forks source link

fix: have ssl handshake check hostname #283

Closed jackwotherspoon closed 2 months ago

jackwotherspoon commented 6 months ago

For Cloud SQL we need to disable checking hostname of ssl handshake because IP address does not match SAN. However, for AlloyDB this is not the case and the IP address can be validated as the host name.

Fixes #324

enocom commented 5 months ago

We need to hold off on this until PSC DNS is populated in all existing certificates.

enocom commented 3 months ago

Via @jackwotherspoon

"HostName" contains the fully qualified DNS hostname of the server, as understood by the client. The hostname is represented as a byte string using ASCII encoding without a trailing dot.

https://datatracker.ietf.org/doc/html/rfc6066#section-3

jackwotherspoon commented 3 months ago

TLDR;

For wrap_socket and passing it to SSLContext, the trailing dot is invalid. However, the hostname match requires a perfect match to the DNS entry in the SAN which has the trailing dot. Thus, here we are, stuck with the hostname match failing.

enocom commented 2 months ago

Going to close this for now. We'll need to revisit some server settings I think.