GNOME Bugzilla – Bug 780665
OpenSSL misses SNI TLS Extension support
Last modified: 2017-04-04 08:26:36 UTC
The OpenSSL backend misses call to SNI TLS Extension (SSL_set_tlsext_host_name) already supported by GnuTLS backend (gnutls_server_name_set).
Created attachment 348907 [details] [review] OpenSSL Support SNI TLS Extension
I was about to submit almost exactly the same patch, thanks. Though, it is not clear for me if it is ok to do SNI when get_server_identity() returns a string with the IP address. An IP address string can already be passed to X509_VERIFY_PARAM_set1_host() in this function.
(In reply to Olivier Blin from comment #2) > Though, it is not clear for me if it is ok to do SNI when > get_server_identity() returns a string with the IP address. The SNI TLS Extension (when supported) will choose the correct certificate, based on hostname. The set1_host will verify that CN contains the hostname. It's rare to see IP addresses in CN, but not impossible. Setting the SNI on the service bellow (without SNI support) doesn't cause issues. openssl s_client -connect 110.249.218.86:9443 openssl s_client -servername 104.28.0.105 -connect 110.249.218.86:9443 Not Setting SNI on the service bellow (with SNI support) cause issues. openssl s_client -connect chrismeller.com:443 openssl s_client -servername chrismeller.com -connect chrismeller.com:443
Review of attachment 348907 [details] [review]: Fine for me thanks.
BTW extra points if you add an unit test for this.
Thanks Attachment 348907 [details] pushed as 6e4f252 - OpenSSL Support SNI TLS Extension