crypto/tls: reject SNI values with a trailing dot.

SNI values may not include a trailing dot according to https://tools.ietf.org/html/rfc6066#section-3. Although crypto/tls handled this correctly as a client, it didn't reject this as a server. This change makes sending an SNI value with a trailing dot a fatal error. Updates #18114. Change-Id: Ib7897ab40e98d4a7a4646ff8469a55233621f631 Reviewed-on: https://go-review.googlesource.com/33904 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2025-04-04 04:27:36 +03:00 · 2016-12-05 10:24:30 -08:00 · 2016-12-05 10:24:30 -08:00 · 905f7aea38
commit 905f7aea38
parent 0c21fe3f19
4 changed files with 19 additions and 2 deletions
--- a/handshake_messages.go
+++ b/handshake_messages.go
@ -4,7 +4,10 @@

 package tls

-import "bytes"
+import (
+	"bytes"
+	"strings"
+)

 type clientHelloMsg struct {
 	raw                          []byte
@ -393,6 +396,12 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 				}
 				if nameType == 0 {
 					m.serverName = string(d[:nameLen])
+					// An SNI value may not include a
+					// trailing dot. See
+					// https://tools.ietf.org/html/rfc6066#section-3.
+					if strings.HasSuffix(m.serverName, ".") {
+						return false
+					}
 					break
 				}
 				d = d[nameLen:]