Add check to prevent the use of IP addresses as SNI hostnames
This commit is contained in:
parent
ee9fa841e2
commit
9d02baad2c
2 changed files with 10 additions and 2 deletions
|
@ -14,6 +14,7 @@ import android.net.SSLCertificateSocketFactory;
|
|||
import android.os.Build;
|
||||
import android.text.TextUtils;
|
||||
|
||||
import app.k9mail.core.common.net.HostNameUtils;
|
||||
import com.fsck.k9.mail.MessagingException;
|
||||
import com.fsck.k9.mail.ssl.TrustManagerFactory;
|
||||
import com.fsck.k9.mail.ssl.TrustedSocketFactory;
|
||||
|
@ -129,7 +130,10 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory {
|
|||
|
||||
hardenSocket(sslSocket);
|
||||
|
||||
setSniHost(socketFactory, sslSocket, host);
|
||||
// RFC 6066 does not permit the use of literal IPv4 or IPv6 addresses as SNI hostnames.
|
||||
if (HostNameUtils.INSTANCE.isLegalIPAddress(host) == null) {
|
||||
setSniHost(socketFactory, sslSocket, host);
|
||||
}
|
||||
|
||||
return trustedSocket;
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@ import android.net.SSLCertificateSocketFactory;
|
|||
import android.os.Build;
|
||||
import android.text.TextUtils;
|
||||
|
||||
import app.k9mail.core.common.net.HostNameUtils;
|
||||
import com.fsck.k9.mail.MessagingException;
|
||||
import com.fsck.k9.mail.ssl.TrustManagerFactory;
|
||||
import com.fsck.k9.mail.ssl.TrustedSocketFactory;
|
||||
|
@ -129,7 +130,10 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory {
|
|||
|
||||
hardenSocket(sslSocket);
|
||||
|
||||
setSniHost(socketFactory, sslSocket, host);
|
||||
// RFC 6066 does not permit the use of literal IPv4 or IPv6 addresses as SNI hostnames.
|
||||
if (HostNameUtils.INSTANCE.isLegalIPAddress(host) == null) {
|
||||
setSniHost(socketFactory, sslSocket, host);
|
||||
}
|
||||
|
||||
return trustedSocket;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue