Bug 780665 – OpenSSL misses SNI TLS Extension support

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 780665 - OpenSSL misses SNI TLS Extension support


Summary:	OpenSSL misses SNI TLS Extension support


Status:	RESOLVED FIXED

Product:	glib-openssl
Classification:	Other
Component:	general
Version:	2.50.x
Hardware:	Other All

Importance:	Normal major
Target Milestone:	---
Assigned To:	glib-openssl Maintainers
QA Contact:

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-03-28 21:39 UTC by Athanasios Oikonomou
Modified:	2017-04-04 08:26 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
OpenSSL Support SNI TLS Extension (2.37 KB, patch) 2017-03-28 21:43 UTC, Athanasios Oikonomou	committed	Details \| Review

Description Athanasios Oikonomou 2017-03-28 21:39:02 UTC

The OpenSSL backend misses call to SNI TLS Extension (SSL_set_tlsext_host_name) already supported by GnuTLS backend (gnutls_server_name_set).

Comment 1 Athanasios Oikonomou 2017-03-28 21:43:41 UTC

Created attachment 348907 [details] [review]
OpenSSL Support SNI TLS Extension

Comment 2 Olivier Blin 2017-03-28 22:13:13 UTC

I was about to submit almost exactly the same patch, thanks.

Though, it is not clear for me if it is ok to do SNI when get_server_identity() returns a string with the IP address.

An IP address string can already be passed to X509_VERIFY_PARAM_set1_host() in this function.

Comment 3 Athanasios Oikonomou 2017-03-29 07:24:28 UTC

(In reply to Olivier Blin from comment #2)
> Though, it is not clear for me if it is ok to do SNI when
> get_server_identity() returns a string with the IP address.

The SNI TLS Extension (when supported) will choose the correct certificate, based on hostname. The set1_host will verify that CN contains the hostname.

It's rare to see IP addresses in CN, but not impossible.

Setting the SNI on the service bellow (without SNI support) doesn't cause issues.

openssl s_client -connect 110.249.218.86:9443
openssl s_client -servername 104.28.0.105 -connect 110.249.218.86:9443

Not Setting SNI on the service bellow (with SNI support) cause issues.

openssl s_client -connect chrismeller.com:443
openssl s_client -servername chrismeller.com -connect chrismeller.com:443

Comment 4 Ignacio Casal Quinteiro (nacho) 2017-03-29 07:31:06 UTC

Review of attachment 348907 [details] [review]:

Fine for me thanks.

Comment 5 Ignacio Casal Quinteiro (nacho) 2017-03-29 07:44:57 UTC

BTW extra points if you add an unit test for this.

Comment 6 Ignacio Casal Quinteiro (nacho) 2017-04-04 08:26:32 UTC

Thanks

Attachment 348907 [details] pushed as 6e4f252 - OpenSSL Support SNI TLS Extension