X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/cc0297996b85bbf459d7c2acf27515f62f44e345..9ef6b510ada8a7d3b053ebaef0686570ebf00f63:/sbr/netsec.c?ds=sidebyside

diff --git a/sbr/netsec.c b/sbr/netsec.c
index 75be76a3..2d70b379 100644
--- a/sbr/netsec.c
+++ b/sbr/netsec.c
@@ -837,7 +837,7 @@ retry:
 	     * At that point, just give up.
 	     */
 	    netsec_err(errstr, "Internal error: wanted to printf() a total of "
-	    	       "%d bytes, but our buffer size was only %d bytes",
+		       "%d bytes, but our buffer size was only %d bytes",
 		       rc, nsc->ns_outbufsize);
 	    return NOTOK;
 	}
@@ -926,7 +926,7 @@ netsec_flush(netsec_context *nsc, char **errstr)
 		if (nsc->ns_snoop_savebuf) {
 		    cb_len += strlen(nsc->ns_snoop_savebuf);
 		    nsc->ns_snoop_savebuf = mh_xrealloc(nsc->ns_snoop_savebuf,
-		    				outlen);
+							outlen);
 		    ptr = nsc->ns_snoop_savebuf;
 		} else {
 		    ptr = snoopoutbuf;
@@ -1260,7 +1260,7 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
 			       &xoauth_client_res, &xoauth_client_res_len,
 			       nsc->ns_snoop ? stderr : NULL) != OK) {
 	    netsec_err(errstr, "Internal error: Unable to get OAuth2 "
-	    	       "bearer token");
+		       "bearer token");
 	    return NOTOK;
 	}
 
@@ -1359,7 +1359,7 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
      */
 
     rc = sasl_client_start(nsc->sasl_conn,
-    			   nsc->sasl_mech ? nsc->sasl_mech : mechlist, NULL,
+			   nsc->sasl_mech ? nsc->sasl_mech : mechlist, NULL,
 			   (const char **) &saslbuf, &saslbuflen,
 			   &chosen_mech);
 
@@ -1383,7 +1383,7 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
      */
 
     while (rc == SASL_CONTINUE) {
-    	/*
+	/*
 	 * Call our SASL callback, which will handle the details of
 	 * reading data from the network.
 	 */
@@ -1624,6 +1624,11 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
 	    return NOTOK;
 	}
 
+	if (!nsc->ns_hostname) {
+	    netsec_err(errstr, "Internal error: hostname not set");
+	    return NOTOK;
+	}
+
 	/*
 	 * Create the SSL structure which holds the data for a single
 	 * TLS connection.
@@ -1680,6 +1685,12 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
 	SSL_set_bio(ssl, rbio, wbio);
 	SSL_set_connect_state(ssl);
 
+	/*
+	 * Use the hostname to set the Server Name Indicator extension
+	 */
+
+	SSL_set_tlsext_host_name(ssl, nsc->ns_hostname);
+
 	/*
 	 * If noverify is NOT set, then do certificate validation.
 	 * Turning on SSL_VERIFY_PEER will verify the certificate chain
@@ -1696,12 +1707,6 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
 #endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
 
 	    SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
-	    if (! nsc->ns_hostname) {
-		netsec_err(errstr, "Internal error: hostname not set and "
-			   "certification verification enabled");
-		SSL_free(ssl);
-		return NOTOK;
-	    }
 
 #ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
 	    param = SSL_get0_param(ssl);
@@ -1720,7 +1725,7 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr)
 
 	if (! ssl_bio) {
 	    netsec_err(errstr, "Unable to create a SSL BIO: %s",
-	    	       ERR_error_string(ERR_get_error(), NULL));
+		       ERR_error_string(ERR_get_error(), NULL));
 	    SSL_free(ssl);
 	    return NOTOK;
 	}
@@ -1845,7 +1850,7 @@ netsec_err(char **errstr, const char *fmt, ...)
     int rc = 127;
 
     if (! errstr)
-    	return;
+	return;
 
     do {
 	errbufsize = rc + 1;