CMCDragonkai
commented
10 months ago For PK, this is not a blocker, since we don't rely on IPs necessarily. We rely on custom Node ID verification. However, if we create an HTTP status page, and people expect to be able to contact it from a browser, it would be nice for it work out of the box for localhost or local IPs.
Note that at this point it is still a self-signed certificate, and not signed by a public third party CA. That's ok, as the browser will ask once, and then accept it, the browser as a client would not understand the Node ID, but would understand normal verification based on localhost hostname or 127.0.0.1 IP SAN.
Specification
OpenSSL implementations in nodejs automatically checks for IP SAN when checking the server name. Thus it is then possible to support certificates that are signed for certain IP addresses.
However quiche's boring usage did not activate this, so it completely ignores IP SANs.
In our tests, which we use
localhostand127.0.0.1and::1alot, without this it results in a bunch of TLS verification failures.To get around this, we ended up with
DNSSANs that are127.0.0.1and::1as strings. However this is not correct as there are multiple forms of::1that is valid, and the IP SANs would allow the TLS library to understand it's not just a string match, and instead do an IP equivalence check.This will require an upstream fix, details are here: https://github.com/MatrixAI/js-quic/pull/53#issuecomment-1731099511
Additional context
Tasks