From: Ken Hornstein Date: Sat, 29 Jun 2019 18:17:16 +0000 (-0400) Subject: Support the TLS SNI extension X-Git-Url: https://diplodocus.org/git/nmh/commitdiff_plain/a0f05edf314126b7cb7267d5b873592a60503df8?ds=sidebyside;hp=fcaa3047b2a23fc0c36be518d1ca1ea0b0cb3b66 Support the TLS SNI extension Add support for sending the TLS Server Name Indicator extension during TLS connection negotiation. --- diff --git a/docs/pending-release-notes b/docs/pending-release-notes index a5b0f223..980ee83e 100644 --- a/docs/pending-release-notes +++ b/docs/pending-release-notes @@ -8,6 +8,8 @@ NEW FEATURES historical practice and reduce packaging dependencies on external programs. - A new -checkbase64 switch to mhfixmsg(1). - inc(1)/msgchk(1) now support STARTTLS for the POP protocol. +- All TLS-supported protocols now will send the SNI (server name indicator) + TLS extension. ----------------- OBSOLETE FEATURES diff --git a/h/netsec.h b/h/netsec.h index 3e7975b4..6c69c82c 100644 --- a/h/netsec.h +++ b/h/netsec.h @@ -52,7 +52,7 @@ void netsec_set_userid(netsec_context *ns_context, const char *userid); /* * Set the hostname of the server we're connecting to. This is used * by the Cyrus-SASL library and by the TLS code. This must be called - * before netsec_negotiate_tls() or netsec_set_sasl_params(). + * before netsec_set_tls() or netsec_set_sasl_params(). * * Arguments: * @@ -399,9 +399,8 @@ int netsec_set_oauth_service(netsec_context *ns_context, const char *service); * * Note: callers still have to call netsec_tls_negotiate() to start * TLS negotiation at the appropriate point in the protocol. The - * remote hostname (controlled by netsec_set_hostname()) should have - * already been set before this function is called unless certificate - * verification is disabled. + * remote hostname (controlled by netsec_set_hostname()) is required + * to be set before calling this function. * * Arguments * @@ -418,7 +417,7 @@ int netsec_set_tls(netsec_context *context, int tls, int noverify, /* * Start TLS negotiation on this protocol. This connection should have - * netsec_set_tls() called on it. + * netsec_set_tls() already called on it. * * Arguments: * diff --git a/sbr/netsec.c b/sbr/netsec.c index a4ede210..2d70b379 100644 --- a/sbr/netsec.c +++ b/sbr/netsec.c @@ -1624,6 +1624,11 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr) return NOTOK; } + if (!nsc->ns_hostname) { + netsec_err(errstr, "Internal error: hostname not set"); + return NOTOK; + } + /* * Create the SSL structure which holds the data for a single * TLS connection. @@ -1680,6 +1685,12 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr) SSL_set_bio(ssl, rbio, wbio); SSL_set_connect_state(ssl); + /* + * Use the hostname to set the Server Name Indicator extension + */ + + SSL_set_tlsext_host_name(ssl, nsc->ns_hostname); + /* * If noverify is NOT set, then do certificate validation. * Turning on SSL_VERIFY_PEER will verify the certificate chain @@ -1696,12 +1707,6 @@ netsec_set_tls(netsec_context *nsc, int tls, int noverify, char **errstr) #endif /* HAVE_X509_VERIFY_PARAM_SET1_HOST */ SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); - if (! nsc->ns_hostname) { - netsec_err(errstr, "Internal error: hostname not set and " - "certification verification enabled"); - SSL_free(ssl); - return NOTOK; - } #ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST param = SSL_get0_param(ssl);