crypto/tls: reject SNI values with a trailing dot.

SNI values may not include a trailing dot according to https://tools.ietf.org/html/rfc6066#section-3. Although crypto/tls handled this correctly as a client, it didn't reject this as a server. This change makes sending an SNI value with a trailing dot a fatal error. Updates #18114. Change-Id: Ib7897ab40e98d4a7a4646ff8469a55233621f631 Reviewed-on: https://go-review.googlesource.com/33904 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2025-12-08 06:10:04 +00:00 · 2016-12-05 10:24:30 -08:00 · 2016-12-05 10:24:30 -08:00 · 3f45916433
commit 3f45916433
parent e56be94375
4 changed files with 19 additions and 2 deletions
--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@ -137,6 +137,10 @@ func TestNoRC4ByDefault(t *testing.T) {
 	testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
 }

+func TestRejectSNIWithTrailingDot(t *testing.T) {
+	testClientHelloFailure(t, testConfig, &clientHelloMsg{vers: VersionTLS12, serverName: "foo.com."}, "unexpected message")
+}
+
 func TestDontSelectECDSAWithRSAKey(t *testing.T) {
 	// Test that, even when both sides support an ECDSA cipher suite, it
 	// won't be selected if the server's private key doesn't support it.