[patch] TLS Server Name Indication (SNI) support for fetch(1)
Sofian Brabez
sbz at FreeBSD.org
Sat Jun 8 20:56:58 UTC 2013
Hi,
fetch(1) currently does not support TLS extension Server Name Indication (RFC
6066) [1] when dealing with SSL. Nowadays lot of clients and servers implement
this extension.
Using the TLS SNI Test website sni.velox.ch [2], the test fails in r251550:
% fetch -o out https://sni.velox.ch/ && grep 'libfetch' out
fetch: https://sni.velox.ch/: size of remote file is not known
out 5101 B 134 kBps 00m00s
<p><strong>Unfortunately, your client </strong>[fetch libfetch/2.0] <strong>
After patching lib/libfetch with my changes:
% cd /usr/src/lib/libfetch
% patch -p0 < <(fetch -o - http://people.freebsd.org/~sbz/fetch_ssl_sni.diff)
And after rebuilding lib/libfetch library and usr.bin/fetch program, the test
suceeded:
% fetch -o out https://sni.velox.ch/ && grep 'libfetch' out
fetch: https://sni.velox.ch/: size of remote file is not known
out 5063 B 104 kBps 00m00s
<p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong>
Our OpenSSL version 1.0.1c in base support this extension already. s_client too
using -servername argument:
% openssl version
OpenSSL 1.0.1c-freebsd 10 May 2012
% openssl s_client -h 2>&1| grep servername
-servername host - Set TLS extension servername in ClientHello
% openssl s_client -connect sni.velox.ch:443 -servername sni.velox.ch -tlsextdebug 2>/dev/null|grep 'extension'
TLS server extension "server name" (id=0), len=0
TLS server extension "renegotiation info" (id=65281), len=1
TLS server extension "EC point formats" (id=11), len=4
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
You will find the patch here [3] and as inline attachment.
Is it OK for your des@ ?
Regards
[1] http://en.wikipedia.org/wiki/Server_Name_Indication
[2] https://sni.velox.ch/
[3] http://people.freebsd.org/~sbz/fetch_ssl_sni.diff
--
Sofian Brabez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fetch_ssl_sni.diff
Type: text/x-diff
Size: 1668 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20130608/164fc551/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20130608/164fc551/attachment.sig>
More information about the freebsd-hackers
mailing list