- Curt Bogmine reported a problem with SNI enabled on a particular server. We

should introduce an option to disable SNI, but as we're in feature freeze
  now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
  shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
  Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
  option for SNI, or are we simply not using it?
This commit is contained in:
Daniel Stenberg 2009-08-01 22:11:58 +00:00
parent c0e8bed5bf
commit 6d891d2a3b
5 changed files with 18 additions and 5 deletions

View File

@ -6,6 +6,14 @@
Changelog Changelog
Daniel Stenberg (2 Aug 2009)
- Curt Bogmine reported a problem with SNI enabled on a particular server. We
should introduce an option to disable SNI, but as we're in feature freeze
now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
option for SNI, or are we simply not using it?
Daniel Stenberg (1 Aug 2009) Daniel Stenberg (1 Aug 2009)
- Scott Cantor posted the bug report #2829955 - Scott Cantor posted the bug report #2829955
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert

View File

@ -41,6 +41,7 @@ This release includes the following bugfixes:
o with noproxy set you could still get a proxy if a proxy env was set o with noproxy set you could still get a proxy if a proxy env was set
o rand seeding on libcurl on windows built with OpenSSL was not thread-safe o rand seeding on libcurl on windows built with OpenSSL was not thread-safe
o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
This release includes the following known bugs: This release includes the following known bugs:
@ -54,6 +55,6 @@ advice from friends like these:
Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg, Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,
Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter, Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,
Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie, Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,
Tanguy Fautre, Scott Cantor Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester
Thanks! (and sorry if I forgot to mention someone) Thanks! (and sorry if I forgot to mention someone)

View File

@ -3,12 +3,8 @@ To be addressed in 7.19.6 (planned release: August 2009)
248 - "Pausing pipeline problems." 248 - "Pausing pipeline problems."
249 - Wildcard cert name checking and null termination
251 - TFTP block size 251 - TFTP block size
252 - disable SNI for SSLv2 and SSLv3
To be addressed in 7.19.7 (planned release: October 2009) To be addressed in 7.19.7 (planned release: October 2009)
========================= =========================

View File

@ -260,6 +260,7 @@ Curl_gtls_connect(struct connectdata *conn,
const char *ptr; const char *ptr;
void *ssl_sessionid; void *ssl_sessionid;
size_t ssl_idsize; size_t ssl_idsize;
bool sni = TRUE; /* default is SNI enabled */
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
struct in6_addr addr; struct in6_addr addr;
#else #else
@ -279,6 +280,8 @@ Curl_gtls_connect(struct connectdata *conn,
failf(data, "GnuTLS does not support SSLv2"); failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR; return CURLE_SSL_CONNECT_ERROR;
} }
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
/* allocate a cred struct */ /* allocate a cred struct */
rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred); rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
@ -335,6 +338,7 @@ Curl_gtls_connect(struct connectdata *conn,
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) && (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif #endif
sni &&
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name, (gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
strlen(conn->host.name)) < 0)) strlen(conn->host.name)) < 0))
infof(data, "WARNING: failed to configure server name indication (SNI) " infof(data, "WARNING: failed to configure server name indication (SNI) "

View File

@ -1351,6 +1351,7 @@ ossl_connect_step1(struct connectdata *conn,
X509_LOOKUP *lookup=NULL; X509_LOOKUP *lookup=NULL;
curl_socket_t sockfd = conn->sock[sockindex]; curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex];
bool sni = TRUE; /* default is SNI enabled */
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
struct in6_addr addr; struct in6_addr addr;
@ -1376,9 +1377,11 @@ ossl_connect_step1(struct connectdata *conn,
break; break;
case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv2:
req_method = SSLv2_client_method(); req_method = SSLv2_client_method();
sni = FALSE;
break; break;
case CURL_SSLVERSION_SSLv3: case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method(); req_method = SSLv3_client_method();
sni = FALSE;
break; break;
} }
@ -1565,6 +1568,7 @@ ossl_connect_step1(struct connectdata *conn,
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) && (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif #endif
sni &&
!SSL_set_tlsext_host_name(connssl->handle, conn->host.name)) !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
infof(data, "WARNING: failed to configure server name indication (SNI) " infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n"); "TLS extension\n");