diff options
author | Daniel Stenberg <daniel@haxx.se> | 2009-08-01 22:11:58 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2009-08-01 22:11:58 +0000 |
commit | 6d891d2a3b907f12e5c9b335a806fcb7e77b877b (patch) | |
tree | 350f759b5ab637e84dcbc727b3e3ce4306fc31d1 | |
parent | c0e8bed5bf7a7e56897e492a4dcc399621939995 (diff) |
- Curt Bogmine reported a problem with SNI enabled on a particular server. We
should introduce an option to disable SNI, but as we're in feature freeze
now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
option for SNI, or are we simply not using it?
-rw-r--r-- | CHANGES | 8 | ||||
-rw-r--r-- | RELEASE-NOTES | 3 | ||||
-rw-r--r-- | TODO-RELEASE | 4 | ||||
-rw-r--r-- | lib/gtls.c | 4 | ||||
-rw-r--r-- | lib/ssluse.c | 4 |
5 files changed, 18 insertions, 5 deletions
@@ -6,6 +6,14 @@ Changelog +Daniel Stenberg (2 Aug 2009) +- Curt Bogmine reported a problem with SNI enabled on a particular server. We + should introduce an option to disable SNI, but as we're in feature freeze + now I've addressed the obvious bug here (pointed out by Peter Sylvester): we + shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. + Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular + option for SNI, or are we simply not using it? + Daniel Stenberg (1 Aug 2009) - Scott Cantor posted the bug report #2829955 (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b019bbc74..8f18e2bb1 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -41,6 +41,7 @@ This release includes the following bugfixes: o with noproxy set you could still get a proxy if a proxy env was set o rand seeding on libcurl on windows built with OpenSSL was not thread-safe o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL + o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds) This release includes the following known bugs: @@ -54,6 +55,6 @@ advice from friends like these: Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg, Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter, Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie, - Tanguy Fautre, Scott Cantor + Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester Thanks! (and sorry if I forgot to mention someone) diff --git a/TODO-RELEASE b/TODO-RELEASE index ad1e24f54..4f458bfcc 100644 --- a/TODO-RELEASE +++ b/TODO-RELEASE @@ -3,12 +3,8 @@ To be addressed in 7.19.6 (planned release: August 2009) 248 - "Pausing pipeline problems." -249 - Wildcard cert name checking and null termination - 251 - TFTP block size -252 - disable SNI for SSLv2 and SSLv3 - To be addressed in 7.19.7 (planned release: October 2009) ========================= diff --git a/lib/gtls.c b/lib/gtls.c index d5c8f1a79..81748306e 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -260,6 +260,7 @@ Curl_gtls_connect(struct connectdata *conn, const char *ptr; void *ssl_sessionid; size_t ssl_idsize; + bool sni = TRUE; /* default is SNI enabled */ #ifdef ENABLE_IPV6 struct in6_addr addr; #else @@ -279,6 +280,8 @@ Curl_gtls_connect(struct connectdata *conn, failf(data, "GnuTLS does not support SSLv2"); return CURLE_SSL_CONNECT_ERROR; } + else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3) + sni = FALSE; /* SSLv3 has no SNI */ /* allocate a cred struct */ rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred); @@ -335,6 +338,7 @@ Curl_gtls_connect(struct connectdata *conn, #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) && #endif + sni && (gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name, strlen(conn->host.name)) < 0)) infof(data, "WARNING: failed to configure server name indication (SNI) " diff --git a/lib/ssluse.c b/lib/ssluse.c index 324b05d47..fa81d08f5 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1351,6 +1351,7 @@ ossl_connect_step1(struct connectdata *conn, X509_LOOKUP *lookup=NULL; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + bool sni = TRUE; /* default is SNI enabled */ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef ENABLE_IPV6 struct in6_addr addr; @@ -1376,9 +1377,11 @@ ossl_connect_step1(struct connectdata *conn, break; case CURL_SSLVERSION_SSLv2: req_method = SSLv2_client_method(); + sni = FALSE; break; case CURL_SSLVERSION_SSLv3: req_method = SSLv3_client_method(); + sni = FALSE; break; } @@ -1565,6 +1568,7 @@ ossl_connect_step1(struct connectdata *conn, #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) && #endif + sni && !SSL_set_tlsext_host_name(connssl->handle, conn->host.name)) infof(data, "WARNING: failed to configure server name indication (SNI) " "TLS extension\n"); |