X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/0f043edd0c369786faa28e4ec2dd583467d048be..9ef6b510ada8a7d3b053ebaef0686570ebf00f63:/sbr/netsec.c

diff --git a/sbr/netsec.c b/sbr/netsec.c
index a4ede210..2d70b379 100644
--- a/sbr/netsec.c
+++ b/sbr/netsec.c
@@ -1624,6 +1624,11 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
 	    return NOTOK;
 	}
 
+	if (!nsc->ns_hostname) {
+	    netsec_err(errstr, "Internal error: hostname not set");
+	    return NOTOK;
+	}
+
 	/*
 	 * Create the SSL structure which holds the data for a single
 	 * TLS connection.
@@ -1680,6 +1685,12 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
 	SSL_set_bio(ssl, rbio, wbio);
 	SSL_set_connect_state(ssl);
 
+	/*
+	 * Use the hostname to set the Server Name Indicator extension
+	 */
+
+	SSL_set_tlsext_host_name(ssl, nsc->ns_hostname);
+
 	/*
 	 * If noverify is NOT set, then do certificate validation.
 	 * Turning on SSL_VERIFY_PEER will verify the certificate chain
@@ -1696,12 +1707,6 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
 #endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
 
 	    SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
-	    if (! nsc->ns_hostname) {
-		netsec_err(errstr, "Internal error: hostname not set and "
-			   "certification verification enabled");
-		SSL_free(ssl);
-		return NOTOK;
-	    }
 
 #ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
 	    param = SSL_get0_param(ssl);