kern/183583: [patch] Support SNI in libfetch

Michael Gmelin freebsd at
Sat Nov 2 05:10:01 UTC 2013

>Number:         183583
>Category:       kern
>Synopsis:       [patch] Support SNI in libfetch
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 02 05:10:00 UTC 2013
>Originator:     Michael Gmelin
>Release:        10.0-BETA2
Grem Equity GmbH
FreeBSD srv15 10.0-BETA2 FreeBSD 10.0-BETA2 #0: Mon Oct 28 20:44:29 UTC 2013     root@:/usr/obj/usr/src/sys/GENERIC  amd64
sbz at created and submitted a patch earlier this year [1] that made libfetch support SNI (server name indication) [2]. It seems like this overlapped with my more complex submission earlier this year and somehow got lost.

I made the patch work with the current version of libfetch, should work in 10 as well as in 9. It's extremely trivial and auditing should be a matter of seconds.

Try fetching before and after the patch, observe the difference.

(see the original patch listed above [2] for a more detailed explanation and procedure).

Apply the attached patch.

cd /usr/src
patch </path/to/libfetch_sni.patch.txt

Patch attached with submission follows:

Index: lib/libfetch/common.c
--- lib/libfetch/common.c	(revision 257540)
+++ lib/libfetch/common.c	(working copy)
@@ -829,6 +829,15 @@
 		return (-1);
 	SSL_set_fd(conn->ssl, conn->sd);
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+	if (!SSL_set_tlsext_host_name(conn->ssl, URL->host)) {
+		fprintf(stderr,
+		    "TLS server name indication extension failed for host %s\n",
+		    URL->host);
+		return (-1);
+	}
 	while ((ret = SSL_connect(conn->ssl)) == -1) {
 		ssl_err = SSL_get_error(conn->ssl, ret);
 		if (ssl_err != SSL_ERROR_WANT_READ &&


More information about the freebsd-bugs mailing list