kern/183583: [patch] Support SNI in libfetch

Michael Gmelin freebsd at grem.de
Sat Nov 2 05:10:01 UTC 2013 

>Number:         183583
>Category:       kern
>Synopsis:       [patch] Support SNI in libfetch
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 02 05:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Michael Gmelin
>Release:        10.0-BETA2
>Organization:
Grem Equity GmbH
>Environment:
FreeBSD srv15 10.0-BETA2 FreeBSD 10.0-BETA2 #0: Mon Oct 28 20:44:29 UTC 2013     root@:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
sbz at freebsd.org created and submitted a patch earlier this year [1] that made libfetch support SNI (server name indication) [2]. It seems like this overlapped with my more complex submission earlier this year and somehow got lost.

I made the patch work with the current version of libfetch, should work in 10 as well as in 9. It's extremely trivial and auditing should be a matter of seconds.
 
[1] http://en.wikipedia.org/wiki/Server_Name_Indication
[2] http://lists.freebsd.org/pipermail/freebsd-hackers/2013-June/042938.html

>How-To-Repeat:
Try fetching https://sni.velo.ch before and after the patch, observe the difference.

fetch https://sni.velo.ch
(see the original patch listed above [2] for a more detailed explanation and procedure).


>Fix:
Apply the attached patch.

cd /usr/src
patch </path/to/libfetch_sni.patch.txt

Patch attached with submission follows:

Index: lib/libfetch/common.c
===================================================================
--- lib/libfetch/common.c	(revision 257540)
+++ lib/libfetch/common.c	(working copy)
@@ -829,6 +829,15 @@
 		return (-1);
 	}
 	SSL_set_fd(conn->ssl, conn->sd);
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+	if (!SSL_set_tlsext_host_name(conn->ssl, URL->host)) {
+		fprintf(stderr,
+		    "TLS server name indication extension failed for host %s\n",
+		    URL->host);
+		return (-1);
+	}
+#endif
 	while ((ret = SSL_connect(conn->ssl)) == -1) {
 		ssl_err = SSL_get_error(conn->ssl, ret);
 		if (ssl_err != SSL_ERROR_WANT_READ &&


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list