Skip to content

fix: remove final dot in relay urls when doing https requests #3487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: remove final dot in relay urls when doing https requests #3487

wants to merge 4 commits into from

Conversation

Frando
Copy link
Member

@Frando Frando commented Sep 30, 2025

Description

We append a final dot to all relay URL domains, to make sure that during DNS resolution the domain is treated as absolute, and no search suffix is appended. However, in the context of TLS name verification it is more correct to not have a final dot, so that the URL's hostname matches the name in the certificate. It seems this is not an issue with rustls, but when using openssl this is an issue (which we had reports for, but those are also fixed by #3486).

This PR adds methods to get the relay URL or hostname without the final dot, and uses those in the context of HTTPS requests.

Breaking Changes

Notes & open questions

Should check if there's more uses of those URLs. Likely we want to do the same when actually connecting to the relay? But didn't yet find the perfect spot for that.

Change checklist

  • Self-review.
  • Documentation updates following the style guide, if relevant.
  • Tests if relevant.
  • All breaking changes documented.
    • List all breaking changes in the above "Breaking Changes" section.
    • Open an issue or PR on any number0 repos that are affected by this breaking change. Give guidance on how the updates should be handled or do the actual updates themselves. The major ones are:

dignifiedquire
dignifiedquire reviewed Sep 30, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 30, 2025
edited
Loading

Documentation for this PR has been generated and is available at: https://n0-computer.github.io/iroh/pr/3487/docs/iroh/

Last updated: 2025-09-30T11:08:23Z

dignifiedquire
dignifiedquire reviewed Sep 30, 2025
View reviewed changes
flub
flub reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@flub flub left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm kind of -0.5 on this.

  1. It's brittle because we need to remember where to use which representation of the URL. Your comment already has questions about having found every spot.
  2. #3486 already fixes this anyway.
  3. The original reason for the final dot still applies, why let reqwest do the extra DNS lookups?

@n0bot n0bot bot added this to iroh Sep 30, 2025
@github-project-automation github-project-automation bot moved this to 🏗 In progress in iroh Sep 30, 2025
@github-actions GitHub Actions
Copy link

Netsim report & logs for this PR have been generated and is available at: LOGS
This report will remain available for 3 days.

Last updated for commit: 96b3999

@dignifiedquire
Copy link
Contributor

  1. The original reason for the final dot still applies, why let reqwest do the extra DNS lookups?

From the investigation it sounded to melike that is not the case, the dot is removed by rustls at some point, so there seems to be no benefit in this case.

@flub
Copy link
Contributor

flub commented Sep 30, 2025

  1. The original reason for the final dot still applies, why let reqwest do the extra DNS lookups?

From the investigation it sounded to melike that is not the case, the dot is removed by rustls at some point, so there seems to be no benefit in this case.

@Frando correct me if I'm wrong, but I understood the dot is only removed to check whether the name on the certificate matches the dialed name. So that dot is left in-place for the dialing itself?

@ramfox ramfox added this to the v0.93.0 milestone Oct 2, 2025
@ramfox
Copy link
Member

ramfox commented Oct 2, 2025

closes #3377

@dignifiedquire dignifiedquire removed this from the v0.93.0 milestone Oct 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flub flub flub left review comments

@dignifiedquire dignifiedquire dignifiedquire approved these changes

Assignees
No one assigned
Labels
None yet
Projects
iroh
Status: 🏗 In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Frando @dignifiedquire @flub @ramfox