- Curt Bogmine reported a problem with SNI enabled on a particular server. We

should introduce an option to disable SNI, but as we're in feature freeze now I've addressed the obvious bug here (pointed out by Peter Sylvester): we shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular option for SNI, or are we simply not using it?
2024-12-22 08:08:50 -05:00 · 2009-08-01 22:11:58 +00:00 · 2009-08-01 22:11:58 +00:00 · 6d891d2a3b
commit 6d891d2a3b
parent c0e8bed5bf
5 changed files with 18 additions and 5 deletions
--- a/8
+++ b/8
@ -6,6 +6,14 @@

                                  Changelog

+Daniel Stenberg (2 Aug 2009)
+- Curt Bogmine reported a problem with SNI enabled on a particular server. We
+  should introduce an option to disable SNI, but as we're in feature freeze
+  now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
+  shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
+  Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
+  option for SNI, or are we simply not using it?
+
 Daniel Stenberg (1 Aug 2009)
 - Scott Cantor posted the bug report #2829955
  (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
--- a/3
+++ b/3
@ -41,6 +41,7 @@ This release includes the following bugfixes:
 o with noproxy set you could still get a proxy if a proxy env was set
 o rand seeding on libcurl on windows built with OpenSSL was not thread-safe
 o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
+ o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)

 This release includes the following known bugs:

@ -54,6 +55,6 @@ advice from friends like these:
 Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,
 Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,
 Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,
- Tanguy Fautre, Scott Cantor
+ Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester

        Thanks! (and sorry if I forgot to mention someone)
--- a/4
+++ b/4
@ -3,12 +3,8 @@ To be addressed in 7.19.6 (planned release: August 2009)

 248 - "Pausing pipeline problems."

-249 - Wildcard cert name checking and null termination
-
 251 - TFTP block size

-252 - disable SNI for SSLv2 and SSLv3
-
 To be addressed in 7.19.7 (planned release: October 2009)
 =========================

--- a/lib/gtls.c
+++ b/lib/gtls.c
@ -260,6 +260,7 @@ Curl_gtls_connect(struct connectdata *conn,
  const char *ptr;
  void *ssl_sessionid;
  size_t ssl_idsize;
+  bool sni = TRUE; /* default is SNI enabled */
 #ifdef ENABLE_IPV6
  struct in6_addr addr;
 #else
@ -279,6 +280,8 @@ Curl_gtls_connect(struct connectdata *conn,
    failf(data, "GnuTLS does not support SSLv2");
    return CURLE_SSL_CONNECT_ERROR;
  }
+  else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
+    sni = FALSE; /* SSLv3 has no SNI */

  /* allocate a cred struct */
  rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
@ -335,6 +338,7 @@ Curl_gtls_connect(struct connectdata *conn,
 #ifdef ENABLE_IPV6
      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
+      sni &&
      (gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
                              strlen(conn->host.name)) < 0))
    infof(data, "WARNING: failed to configure server name indication (SNI) "
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -1351,6 +1351,7 @@ ossl_connect_step1(struct connectdata *conn,
  X509_LOOKUP *lookup=NULL;
  curl_socket_t sockfd = conn->sock[sockindex];
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  bool sni = TRUE; /* default is SNI enabled */
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 #ifdef ENABLE_IPV6
  struct in6_addr addr;
@ -1376,9 +1377,11 @@ ossl_connect_step1(struct connectdata *conn,
    break;
  case CURL_SSLVERSION_SSLv2:
    req_method = SSLv2_client_method();
+    sni = FALSE;
    break;
  case CURL_SSLVERSION_SSLv3:
    req_method = SSLv3_client_method();
+    sni = FALSE;
    break;
  }

@ -1565,6 +1568,7 @@ ossl_connect_step1(struct connectdata *conn,
 #ifdef ENABLE_IPV6
      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
+      sni &&
      !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
    infof(data, "WARNING: failed to configure server name indication (SNI) "
          "TLS extension\n");