Auto-reconnection does not work on SNI

[dissolve]

When I establish a connection to a site that uses SNI (and the key returned by the request is not usable) and then try to re-use that connection after 300 seconds, I get an error that the certificate does not match the hostname. Watching from wireshark confirmed, that on the initial request the certificate for *.shanske.com is returned, however after 5 minutes, the certificate for weneca.com is returned (the server's main key, same as would be returned without SNI). So it would seem that the reconnection is not including the hostname.

To reproduce

require 'net/http/persistent'
http = Net::HTTP::Persistent.new
uri = URI 'https://david.shanske.com'
response = http.request uri
sleep 310 
response = http.request uri

OpenSSL::SSL::SSLError: hostname "david.shanske.com" does not match the server certificate
        from /usr/lib64/ruby/2.1.0/openssl/ssl.rb:139:in `post_connection_check'
        from /usr/lib64/ruby/2.1.0/net/http.rb:922:in `connect'
        from /usr/lib64/ruby/2.1.0/net/http.rb:863:in `do_start'
        from /usr/lib64/ruby/2.1.0/net/http.rb:858:in `start'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:700:in `start'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:965:in `reset'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:628:in `connection_for'
        from /usr/lib64/ruby/gems/2.1.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:994:in `request'

[drbrain]

This is a ruby bug:

require 'net/http'
uri = URI 'https://david.shanske.com'

Net::HTTP.start uri.hostname, uri.port, use_ssl: true do |http|
  req = Net::HTTP::Get.new uri
  response = http.request req
  p response.code
  sleep 310
  req = Net::HTTP::Get.new uri
  response = http.request req
  p response.code
end

$ ruby test.rb
"200"
/usr/local/lib/ruby/2.1.0/openssl/ssl.rb:139:in `post_connection_check': hostname "david.shanske.com" does not match the server certificate (OpenSSL::SSL::SSLError)
        from /usr/local/lib/ruby/2.1.0/net/http.rb:922:in `connect'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:1447:in `begin_transport'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:1404:in `transport_request'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:1378:in `request'
        from test.rb:10:in `block in <main>'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:853:in `start'
        from /usr/local/lib/ruby/2.1.0/net/http.rb:583:in `start'
        from test.rb:4:in `<main>'

[drbrain]

I have created Bug #10533 and will work on a fix there.

[drbrain]

The bug is due to session resumption. I'll see what I can do to patch it via net-http-persistent until a release with the patch to Net::HTTP is available.

[mariusmarais]

Just got bitten hard by this issue :) Any progress on a workaround?

[lukad03]

Any progress on this issue?

EDIT: This issue may no longer be relevant: https://github.com/drbrain/net-http-persistent/blob/master/lib/net/http/persistent/ssl_reuse.rb