aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2009-08-01 22:11:58 +0000
committerDaniel Stenberg <daniel@haxx.se>2009-08-01 22:11:58 +0000
commit6d891d2a3b907f12e5c9b335a806fcb7e77b877b (patch)
tree350f759b5ab637e84dcbc727b3e3ce4306fc31d1
parentc0e8bed5bf7a7e56897e492a4dcc399621939995 (diff)
- Curt Bogmine reported a problem with SNI enabled on a particular server. We
should introduce an option to disable SNI, but as we're in feature freeze now I've addressed the obvious bug here (pointed out by Peter Sylvester): we shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular option for SNI, or are we simply not using it?
-rw-r--r--CHANGES8
-rw-r--r--RELEASE-NOTES3
-rw-r--r--TODO-RELEASE4
-rw-r--r--lib/gtls.c4
-rw-r--r--lib/ssluse.c4
5 files changed, 18 insertions, 5 deletions
diff --git a/CHANGES b/CHANGES
index e03f92c88..a69c714ba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,14 @@
Changelog
+Daniel Stenberg (2 Aug 2009)
+- Curt Bogmine reported a problem with SNI enabled on a particular server. We
+ should introduce an option to disable SNI, but as we're in feature freeze
+ now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
+ shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
+ Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
+ option for SNI, or are we simply not using it?
+
Daniel Stenberg (1 Aug 2009)
- Scott Cantor posted the bug report #2829955
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b019bbc74..8f18e2bb1 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -41,6 +41,7 @@ This release includes the following bugfixes:
o with noproxy set you could still get a proxy if a proxy env was set
o rand seeding on libcurl on windows built with OpenSSL was not thread-safe
o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
+ o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
This release includes the following known bugs:
@@ -54,6 +55,6 @@ advice from friends like these:
Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,
Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,
Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,
- Tanguy Fautre, Scott Cantor
+ Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester
Thanks! (and sorry if I forgot to mention someone)
diff --git a/TODO-RELEASE b/TODO-RELEASE
index ad1e24f54..4f458bfcc 100644
--- a/TODO-RELEASE
+++ b/TODO-RELEASE
@@ -3,12 +3,8 @@ To be addressed in 7.19.6 (planned release: August 2009)
248 - "Pausing pipeline problems."
-249 - Wildcard cert name checking and null termination
-
251 - TFTP block size
-252 - disable SNI for SSLv2 and SSLv3
-
To be addressed in 7.19.7 (planned release: October 2009)
=========================
diff --git a/lib/gtls.c b/lib/gtls.c
index d5c8f1a79..81748306e 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -260,6 +260,7 @@ Curl_gtls_connect(struct connectdata *conn,
const char *ptr;
void *ssl_sessionid;
size_t ssl_idsize;
+ bool sni = TRUE; /* default is SNI enabled */
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
@@ -279,6 +280,8 @@ Curl_gtls_connect(struct connectdata *conn,
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
+ else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
+ sni = FALSE; /* SSLv3 has no SNI */
/* allocate a cred struct */
rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
@@ -335,6 +338,7 @@ Curl_gtls_connect(struct connectdata *conn,
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
+ sni &&
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
strlen(conn->host.name)) < 0))
infof(data, "WARNING: failed to configure server name indication (SNI) "
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 324b05d47..fa81d08f5 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1351,6 +1351,7 @@ ossl_connect_step1(struct connectdata *conn,
X509_LOOKUP *lookup=NULL;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ bool sni = TRUE; /* default is SNI enabled */
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
#ifdef ENABLE_IPV6
struct in6_addr addr;
@@ -1376,9 +1377,11 @@ ossl_connect_step1(struct connectdata *conn,
break;
case CURL_SSLVERSION_SSLv2:
req_method = SSLv2_client_method();
+ sni = FALSE;
break;
case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method();
+ sni = FALSE;
break;
}
@@ -1565,6 +1568,7 @@ ossl_connect_step1(struct connectdata *conn,
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
+ sni &&
!SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");