- Curt Bogmine reported a problem with SNI enabled on a particular server. We
should introduce an option to disable SNI, but as we're in feature freeze now I've addressed the obvious bug here (pointed out by Peter Sylvester): we shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular option for SNI, or are we simply not using it?
This commit is contained in:
parent
c0e8bed5bf
commit
6d891d2a3b
8
CHANGES
8
CHANGES
@ -6,6 +6,14 @@
|
|||||||
|
|
||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
|
Daniel Stenberg (2 Aug 2009)
|
||||||
|
- Curt Bogmine reported a problem with SNI enabled on a particular server. We
|
||||||
|
should introduce an option to disable SNI, but as we're in feature freeze
|
||||||
|
now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
|
||||||
|
shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
|
||||||
|
Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
|
||||||
|
option for SNI, or are we simply not using it?
|
||||||
|
|
||||||
Daniel Stenberg (1 Aug 2009)
|
Daniel Stenberg (1 Aug 2009)
|
||||||
- Scott Cantor posted the bug report #2829955
|
- Scott Cantor posted the bug report #2829955
|
||||||
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
|
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
|
||||||
|
@ -41,6 +41,7 @@ This release includes the following bugfixes:
|
|||||||
o with noproxy set you could still get a proxy if a proxy env was set
|
o with noproxy set you could still get a proxy if a proxy env was set
|
||||||
o rand seeding on libcurl on windows built with OpenSSL was not thread-safe
|
o rand seeding on libcurl on windows built with OpenSSL was not thread-safe
|
||||||
o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
|
o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
|
||||||
|
o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
|
||||||
|
|
||||||
This release includes the following known bugs:
|
This release includes the following known bugs:
|
||||||
|
|
||||||
@ -54,6 +55,6 @@ advice from friends like these:
|
|||||||
Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,
|
Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,
|
||||||
Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,
|
Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,
|
||||||
Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,
|
Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,
|
||||||
Tanguy Fautre, Scott Cantor
|
Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester
|
||||||
|
|
||||||
Thanks! (and sorry if I forgot to mention someone)
|
Thanks! (and sorry if I forgot to mention someone)
|
||||||
|
@ -3,12 +3,8 @@ To be addressed in 7.19.6 (planned release: August 2009)
|
|||||||
|
|
||||||
248 - "Pausing pipeline problems."
|
248 - "Pausing pipeline problems."
|
||||||
|
|
||||||
249 - Wildcard cert name checking and null termination
|
|
||||||
|
|
||||||
251 - TFTP block size
|
251 - TFTP block size
|
||||||
|
|
||||||
252 - disable SNI for SSLv2 and SSLv3
|
|
||||||
|
|
||||||
To be addressed in 7.19.7 (planned release: October 2009)
|
To be addressed in 7.19.7 (planned release: October 2009)
|
||||||
=========================
|
=========================
|
||||||
|
|
||||||
|
@ -260,6 +260,7 @@ Curl_gtls_connect(struct connectdata *conn,
|
|||||||
const char *ptr;
|
const char *ptr;
|
||||||
void *ssl_sessionid;
|
void *ssl_sessionid;
|
||||||
size_t ssl_idsize;
|
size_t ssl_idsize;
|
||||||
|
bool sni = TRUE; /* default is SNI enabled */
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
struct in6_addr addr;
|
struct in6_addr addr;
|
||||||
#else
|
#else
|
||||||
@ -279,6 +280,8 @@ Curl_gtls_connect(struct connectdata *conn,
|
|||||||
failf(data, "GnuTLS does not support SSLv2");
|
failf(data, "GnuTLS does not support SSLv2");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
}
|
}
|
||||||
|
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
|
||||||
|
sni = FALSE; /* SSLv3 has no SNI */
|
||||||
|
|
||||||
/* allocate a cred struct */
|
/* allocate a cred struct */
|
||||||
rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
|
rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
|
||||||
@ -335,6 +338,7 @@ Curl_gtls_connect(struct connectdata *conn,
|
|||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
|
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
|
||||||
#endif
|
#endif
|
||||||
|
sni &&
|
||||||
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
|
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
|
||||||
strlen(conn->host.name)) < 0))
|
strlen(conn->host.name)) < 0))
|
||||||
infof(data, "WARNING: failed to configure server name indication (SNI) "
|
infof(data, "WARNING: failed to configure server name indication (SNI) "
|
||||||
|
@ -1351,6 +1351,7 @@ ossl_connect_step1(struct connectdata *conn,
|
|||||||
X509_LOOKUP *lookup=NULL;
|
X509_LOOKUP *lookup=NULL;
|
||||||
curl_socket_t sockfd = conn->sock[sockindex];
|
curl_socket_t sockfd = conn->sock[sockindex];
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
|
bool sni = TRUE; /* default is SNI enabled */
|
||||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
struct in6_addr addr;
|
struct in6_addr addr;
|
||||||
@ -1376,9 +1377,11 @@ ossl_connect_step1(struct connectdata *conn,
|
|||||||
break;
|
break;
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
req_method = SSLv2_client_method();
|
req_method = SSLv2_client_method();
|
||||||
|
sni = FALSE;
|
||||||
break;
|
break;
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
req_method = SSLv3_client_method();
|
req_method = SSLv3_client_method();
|
||||||
|
sni = FALSE;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1565,6 +1568,7 @@ ossl_connect_step1(struct connectdata *conn,
|
|||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
|
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
|
||||||
#endif
|
#endif
|
||||||
|
sni &&
|
||||||
!SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
|
!SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
|
||||||
infof(data, "WARNING: failed to configure server name indication (SNI) "
|
infof(data, "WARNING: failed to configure server name indication (SNI) "
|
||||||
"TLS extension\n");
|
"TLS extension\n");
|
||||||
|
Loading…
x
Reference in New Issue
Block a user