[SChannel][FTP][TLS] Port number is incorrectly included in server_name in ClientHello

Bug reports will be moved here when the described bug has been fixed

Moderators: white, Hacker, petermad, Stefan2

Post Reply
User avatar
za222
Member
Member
Posts: 146
Joined: 2003-03-11, 17:19 UTC
Location: Germany

[SChannel][FTP][TLS] Port number is incorrectly included in server_name in ClientHello

Post by *za222 »

Try to connect to FTP: ftps://foo.bar.com:12345 via SChannel (wcx_ftp.ini: PreferOpenSSL=0)

The ClientHello TLS handshake contains the port number in the SNI extension:

Code: Select all

extensions" : [
    ...
    ,
    "server_name (0)": {
      type=host_name (0), value=foo.bar.com:12345
    },
    ...
]
This is incorrect. It should only contain "foo.bar.com" without the port number.

This causes multiple issues:

1) SNI fails. Due to the fact that the port number should *not* be part of the handshake, but is, the server won't be able to chose the appropriate virtual host "foo.bar.com" and the server might fail to present the appropriate certificate.

2) A java-based server with the TLS session ticket extension enabled even refuses to accept the connection completely, because the SNI host contains invalid characters:

Code: Select all

java.lang.IllegalArgumentException: Contains non-LDH ASCII characters
	at java.base/java.net.IDN.toASCIIInternal(IDN.java:296)
	at java.base/java.net.IDN.toASCII(IDN.java:122)
	at java.base/javax.net.ssl.SNIHostName.<init>(SNIHostName.java:99)
	at java.base/sun.security.ssl.SSLSessionImpl.<init>(SSLSessionImpl.java:417)
	...

When using OpenSSL to connect, the ClientHello only contains the correct

Code: Select all

extensions" : [
    ...
    ,
    "server_name (0)": {
      type=host_name (0), value=foo.bar.com
    },
    ...
]
*without* the port number. SNI and session resumption work as expected.

Is this a problem within SChannel?
Or is this something that can be fixed in Total Commander? (By setting the correct SCH_CRED_SNI_CREDENTIAL in InitializeSecurityContext?)

The TC log contains

Code: Select all

Connect to: (03.04.2021 15:34:19)
hostname=foo.bar.com:12345
username=user
startdir=/
which suggests the former, i.e. "hostname=foo.bar.com:12345" being passed down to the crypto library instead of just hostname=foo.bar.com. (And then OpenSSL seems to to the right thing and strip of the port).
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: [SChannel][FTP][TLS] Port number is incorrectly included in server_name in ClientHello

Post by *ghisler(Author) »

I will check it, thanks!
Author of Total Commander
https://www.ghisler.com
User avatar
za222
Member
Member
Posts: 146
Joined: 2003-03-11, 17:19 UTC
Location: Germany

Re: [SChannel][FTP][TLS] Port number is incorrectly included in server_name in ClientHello

Post by *za222 »

Fixed in 10.00 beta 5. Thanks a lot! :)
Post Reply