[patch] TLS Server Name Indication (SNI) support for fetch(1)

Sofian Brabez sbz at FreeBSD.org
Sat Jun 8 20:56:58 UTC 2013 

Hi,

fetch(1) currently does not support TLS extension Server Name Indication (RFC
6066) [1] when dealing with SSL. Nowadays lot of clients and servers implement
this extension.

Using the TLS SNI Test website sni.velox.ch [2], the test fails in r251550:

% fetch -o out https://sni.velox.ch/ && grep 'libfetch' out
fetch: https://sni.velox.ch/: size of remote file is not known
out                                                   5101  B  134 kBps 00m00s
<p><strong>Unfortunately, your client </strong>[fetch libfetch/2.0] <strong>

After patching lib/libfetch with my changes:

% cd /usr/src/lib/libfetch
% patch -p0 < <(fetch -o - http://people.freebsd.org/~sbz/fetch_ssl_sni.diff)

And after rebuilding lib/libfetch library and usr.bin/fetch program, the test
suceeded:

% fetch -o out https://sni.velox.ch/ &&  grep 'libfetch' out
fetch: https://sni.velox.ch/: size of remote file is not known
out                                                   5063  B  104 kBps 00m00s
<p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong>

Our OpenSSL version 1.0.1c in base support this extension already. s_client too
using -servername argument:

% openssl version
OpenSSL 1.0.1c-freebsd 10 May 2012
% openssl s_client -h 2>&1| grep servername
 -servername host  - Set TLS extension servername in ClientHello
% openssl s_client -connect sni.velox.ch:443 -servername sni.velox.ch -tlsextdebug 2>/dev/null|grep 'extension'
TLS server extension "server name" (id=0), len=0
TLS server extension "renegotiation info" (id=65281), len=1
TLS server extension "EC point formats" (id=11), len=4
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1

You will find the patch here [3] and as inline attachment.

Is it OK for your des@ ?

Regards

[1] http://en.wikipedia.org/wiki/Server_Name_Indication
[2] https://sni.velox.ch/
[3] http://people.freebsd.org/~sbz/fetch_ssl_sni.diff

--
Sofian Brabez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fetch_ssl_sni.diff
Type: text/x-diff
Size: 1668 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20130608/164fc551/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20130608/164fc551/attachment.sig>

More information about the freebsd-hackers mailing list