From 6d891d2a3b907f12e5c9b335a806fcb7e77b877b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 1 Aug 2009 22:11:58 +0000
Subject: [PATCH] - Curt Bogmine reported a problem with SNI enabled on a
 particular server. We   should introduce an option to disable SNI, but as
 we're in feature freeze   now I've addressed the obvious bug here (pointed
 out by Peter Sylvester): we   shouldn't try to enable SNI when SSLv2 or SSLv3
 is explicitly selected.   Code for OpenSSL and GnuTLS was fixed. NSS doesn't
 seem to have a particular   option for SNI, or are we simply not using it?

---
 CHANGES       | 8 ++++++++
 RELEASE-NOTES | 3 ++-
 TODO-RELEASE  | 4 ----
 lib/gtls.c    | 4 ++++
 lib/ssluse.c  | 4 ++++
 5 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index e03f92c88..a69c714ba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,14 @@
 
                                   Changelog
 
+Daniel Stenberg (2 Aug 2009)
+- Curt Bogmine reported a problem with SNI enabled on a particular server. We
+  should introduce an option to disable SNI, but as we're in feature freeze
+  now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
+  shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
+  Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
+  option for SNI, or are we simply not using it?
+
 Daniel Stenberg (1 Aug 2009)
 - Scott Cantor posted the bug report #2829955
   (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b019bbc74..8f18e2bb1 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -41,6 +41,7 @@ This release includes the following bugfixes:
  o with noproxy set you could still get a proxy if a proxy env was set
  o rand seeding on libcurl on windows built with OpenSSL was not thread-safe
  o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
+ o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
 
 This release includes the following known bugs:
 
@@ -54,6 +55,6 @@ advice from friends like these:
  Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,
  Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,
  Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,
- Tanguy Fautre, Scott Cantor
+ Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/TODO-RELEASE b/TODO-RELEASE
index ad1e24f54..4f458bfcc 100644
--- a/TODO-RELEASE
+++ b/TODO-RELEASE
@@ -3,12 +3,8 @@ To be addressed in 7.19.6 (planned release: August 2009)
 
 248 - "Pausing pipeline problems."
 
-249 - Wildcard cert name checking and null termination
-
 251 - TFTP block size
 
-252 - disable SNI for SSLv2 and SSLv3
-
 To be addressed in 7.19.7 (planned release: October 2009)
 =========================
 
diff --git a/lib/gtls.c b/lib/gtls.c
index d5c8f1a79..81748306e 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -260,6 +260,7 @@ Curl_gtls_connect(struct connectdata *conn,
   const char *ptr;
   void *ssl_sessionid;
   size_t ssl_idsize;
+  bool sni = TRUE; /* default is SNI enabled */
 #ifdef ENABLE_IPV6
   struct in6_addr addr;
 #else
@@ -279,6 +280,8 @@ Curl_gtls_connect(struct connectdata *conn,
     failf(data, "GnuTLS does not support SSLv2");
     return CURLE_SSL_CONNECT_ERROR;
   }
+  else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
+    sni = FALSE; /* SSLv3 has no SNI */
 
   /* allocate a cred struct */
   rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
@@ -335,6 +338,7 @@ Curl_gtls_connect(struct connectdata *conn,
 #ifdef ENABLE_IPV6
       (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
+      sni &&
       (gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
                               strlen(conn->host.name)) < 0))
     infof(data, "WARNING: failed to configure server name indication (SNI) "
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 324b05d47..fa81d08f5 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1351,6 +1351,7 @@ ossl_connect_step1(struct connectdata *conn,
   X509_LOOKUP *lookup=NULL;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  bool sni = TRUE; /* default is SNI enabled */
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 #ifdef ENABLE_IPV6
   struct in6_addr addr;
@@ -1376,9 +1377,11 @@ ossl_connect_step1(struct connectdata *conn,
     break;
   case CURL_SSLVERSION_SSLv2:
     req_method = SSLv2_client_method();
+    sni = FALSE;
     break;
   case CURL_SSLVERSION_SSLv3:
     req_method = SSLv3_client_method();
+    sni = FALSE;
     break;
   }
 
@@ -1565,6 +1568,7 @@ ossl_connect_step1(struct connectdata *conn,
 #ifdef ENABLE_IPV6
       (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
+      sni &&
       !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
     infof(data, "WARNING: failed to configure server name indication (SNI) "
           "TLS extension\n");