diff options
| author |  David Cowden <dcow@eero.com> | 2018-02-08 22:58:53 -0800 |
|---|---|---|
| committer | David Cowden <dcow@eero.com> | 2018-04-26 12:25:38 -0700 |
| commit | 116fd29a36b1b5af454de11bda6d100f9565be91 (patch) | |
| tree | b90765f1675758d7759e5a7e05bc91d01b47ce99 /test/cpp/microbenchmarks/bm_error.cc | |
| parent | 8acece911a6666ac29040451622db4032f4ce5f9 (diff) | |
gRPC core: strip zone-id from IPv6 hosts before TLS verification
When initiating a connection to an IPv6 peer using an address that is
not globally scoped, there may be ambiguity regarding which zone the
destination address applies to when multiple links of the same scope
are present. The scoped address architecture and zone-id syntax are
described in rfc4007 and rfc 6874, respectively:
* https://tools.ietf.org/html/rfc4007#section-6
* https://tools.ietf.org/html/rfc6874
This patch allows host name verification performed during TLS session
establishment, and on a per-call basis, to work correctly when the peer
presents a certificate with a non-global IPv6 address listed as one of
its alternate names. Whether arbitrary certificate authorities choose
issue certificates of this nature, or not, is outside the scope of gRPC.
The zone-id is separated from the address using a percent (%) character.
It is considered a system implementation detail and guidance suggests it
be stripped from any paths or addresses egressing a host because it is
irrelevant and meaningless otherwise. It would not make sense for a
server to present a certificate containing non-global IPv6 addresses
with zone-ids present nor would it work unless two hosts happened to
be using the same zone-id.
ssl_host_matches_name is prefixed with grpc_ because it has been
promoted to the global namespace for testing.
Resolves #14371
Diffstat (limited to 'test/cpp/microbenchmarks/bm_error.cc')
0 files changed, 0 insertions, 0 deletions