Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.21.12 release preparation #1925

Merged
merged 5 commits into from
Apr 26, 2024
Merged

v0.21.12 release preparation #1925

merged 5 commits into from
Apr 26, 2024

Conversation

cpu
Copy link
Member

@cpu cpu commented Apr 26, 2024
edited

Proposed release notes

  • The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.
  • MSRV is now 1.63.

Backports #1881 to the rel-0.21 branch.

This PR makes us ignore the server_name ClientHello extension if it contains a literal IP address. We don't indicate support for the server_name extension if we ignored it, and it is not available via any API -- it is as if the client did not send the extension at all. Other illegal names continue to be rejected as before.

This is necessary to deal with non-compliant extension data sent by OpenSSL (openssl/openssl#20041) and Apple SecureTransport (#1878).

Code changes in each commit were required to adjust for API differences between the releases.

Hopefully this will help with dart-lang/http#1161 and a couple other instances of folks stuck on 0.21 for various reasons.

ctz added 2 commits April 26, 2024 10:06
@ctz @cpu
Ignore server_name extension containing IP address
f517933 
This works around quality-of-implementation issues in OpenSSL and
Apple SecureTransport: they send `server_name` extensions containing
IP addresses.  RFC6066 specifically disallows that.

It is a similar work-around to that adopted by LibreSSL: ignore
SNI contents if they can be parsed as an IP address.
@ctz @cpu
Test for illegal IP address in server name extension
a093b5d
@cpu cpu self-assigned this Apr 26, 2024
@cpu
Copy link
Member Author

cpu commented Apr 26, 2024

rustls / Check semver compatibility (pull_request) Failing after 19s

Description:
A publicly-visible enum without #[non_exhaustive] has a new variant.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#enum-variant-new
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.31.0/src/lints/enum_variant_added.ron

Failed in:
  variant ServerNamePayload:IpAddress in /home/runner/work/rustls/rustls/rustls/src/msgs/handshake.rs:216

I think ServerNamePayload is in the internal API namespace and so doesn't need to be considered for semver.

@djc
Copy link
Member

djc commented Apr 26, 2024

Probably okay to bump the MSRV to 1.63 on this branch, too?

@cpu
Copy link
Member Author

cpu commented Apr 26, 2024

Probably okay to bump the MSRV to 1.63 on this branch, too?

Sure 👍 I can do that and also include a Cargo version bump and we can call this the release prep branch.

@cpu cpu changed the title 0.21: Relax server_name extension validation v0.21.12 release preparation Apr 26, 2024
cpu added 3 commits April 26, 2024 10:23
@cpu
tls13: fix clippy::unnecessary_lazy_evaluations finding
e70ebb1 
```
error: unnecessary closure used with `bool::then`
  --> rustls/src/tls13/mod.rs:87:9
   |
87 |         (prev.hash_algorithm() == self.hash_algorithm()).then(|| prev)
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^-------------
   |                                                          |
   |                                                          help: use `then_some(..)` instead: `then_some(prev)`
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_lazy_evaluations
   = note: `-D clippy::unnecessary-lazy-evaluations` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::unnecessary_lazy_evaluations)]`

```
@cpu
proj: MSRV 1.61 -> 1.63
e5bfd5b 
We're seeing more of our deps move to this MSRV or higher (e.g.
`webpki`, `rustls-platform-verifier`) and it's shipped in Debian stable.
Time to move our MSRV to 1.63.
@cpu
Cargo: v0.21.11 -> v0.21.12
8c41067
@rustls-benchmarking Rustls Benchmarking

This comment was marked as off-topic.

Sign in to view
@cpu cpu added this pull request to the merge queue Apr 26, 2024
Merged via the queue into rustls:rel-0.21 with commit 3633152 Apr 26, 2024
19 of 20 checks passed
@cpu cpu deleted the cpu-rel-0.21-sni-crimes branch April 26, 2024 14:47
@cpu
Copy link
Member Author

cpu commented Apr 26, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@ctz ctz ctz approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cpu @djc @ctz