summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
fcaa304)
Add support for sending the TLS Server Name Indicator extension
during TLS connection negotiation.
historical practice and reduce packaging dependencies on external programs.
- A new -checkbase64 switch to mhfixmsg(1).
- inc(1)/msgchk(1) now support STARTTLS for the POP protocol.
historical practice and reduce packaging dependencies on external programs.
- A new -checkbase64 switch to mhfixmsg(1).
- inc(1)/msgchk(1) now support STARTTLS for the POP protocol.
+- All TLS-supported protocols now will send the SNI (server name indicator)
+ TLS extension.
-----------------
OBSOLETE FEATURES
-----------------
OBSOLETE FEATURES
/*
* Set the hostname of the server we're connecting to. This is used
* by the Cyrus-SASL library and by the TLS code. This must be called
/*
* Set the hostname of the server we're connecting to. This is used
* by the Cyrus-SASL library and by the TLS code. This must be called
- * before netsec_negotiate_tls() or netsec_set_sasl_params().
+ * before netsec_set_tls() or netsec_set_sasl_params().
*
* Note: callers still have to call netsec_tls_negotiate() to start
* TLS negotiation at the appropriate point in the protocol. The
*
* Note: callers still have to call netsec_tls_negotiate() to start
* TLS negotiation at the appropriate point in the protocol. The
- * remote hostname (controlled by netsec_set_hostname()) should have
- * already been set before this function is called unless certificate
- * verification is disabled.
+ * remote hostname (controlled by netsec_set_hostname()) is required
+ * to be set before calling this function.
/*
* Start TLS negotiation on this protocol. This connection should have
/*
* Start TLS negotiation on this protocol. This connection should have
- * netsec_set_tls() called on it.
+ * netsec_set_tls() already called on it.
+ if (!nsc->ns_hostname) {
+ netsec_err(errstr, "Internal error: hostname not set");
+ return NOTOK;
+ }
+
/*
* Create the SSL structure which holds the data for a single
* TLS connection.
/*
* Create the SSL structure which holds the data for a single
* TLS connection.
SSL_set_bio(ssl, rbio, wbio);
SSL_set_connect_state(ssl);
SSL_set_bio(ssl, rbio, wbio);
SSL_set_connect_state(ssl);
+ /*
+ * Use the hostname to set the Server Name Indicator extension
+ */
+
+ SSL_set_tlsext_host_name(ssl, nsc->ns_hostname);
+
/*
* If noverify is NOT set, then do certificate validation.
* Turning on SSL_VERIFY_PEER will verify the certificate chain
/*
* If noverify is NOT set, then do certificate validation.
* Turning on SSL_VERIFY_PEER will verify the certificate chain
#endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
#endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */
SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
- if (! nsc->ns_hostname) {
- netsec_err(errstr, "Internal error: hostname not set and "
- "certification verification enabled");
- SSL_free(ssl);
- return NOTOK;
- }
#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
param = SSL_get0_param(ssl);
#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
param = SSL_get0_param(ssl);
projects / nmh / commitdiff