Trailing dot in URL causes TLS failure
REBELinBLUE opened this issue · comments
Adding a dot to the end of the URL is valid, it tells DNS that it is an absolute fully-qualified domain name, this is a common trick in Kubernetes to prevent it from trying to resolve the address locally first due to /etc/resolv.conf
having ndots set to 5 (i.e. domains with less than 5 dots try to resolve locally). https://pracucci.com/kubernetes-dns-resolution-ndots-options-and-why-it-may-affect-application-performances.html as seen in Solution 1 here for example.
This works fine in ampqlib, however, when you are using TLS it does not and you get an error Error: Client network socket disconnected before secure TLS connection was established
This is because in connect.js
the following code
sockopts.host = url.hostname;
sockopts.servername = url.hostname;
servername
is the servername for the SNI TLS Extension, and in SNI the servername must not have a trailing dot https://datatracker.ietf.org/doc/html/rfc6066#section-3
You can see here how curl strips it curl/curl@5de8d84
Happy to submit a PR
Hi @REBELinBLUE,
Thank you for the detailed analysis. Very happy to accept a PR.
@cressie176 I see you may have already fixed it in 318a682 by allowing the servername to be supplied separately, looks like it was fixed in #697