[patch] TLS Server Name Indication (SNI) support for fetch(1)

Bryan Drewery bdrewery at FreeBSD.org
Sat Feb 1 14:40:40 UTC 2014 

On 12/28/2013 7:02 AM, Thomas Steen Rasmussen wrote:
> On 08-06-2013 22:56, Sofian Brabez wrote:
>> Hi,
>>
>> fetch(1) currently does not support TLS extension Server Name
>> Indication (RFC
>> 6066) [1] when dealing with SSL. Nowadays lot of clients and servers
>> implement
>> this extension.
> Hello!
> 
> fetch(1) is still missing SNI support as of r259440 - any chance of
> seeing this patch committed ?
> As ipv4 depletion gets worse we will see SSL websites using SNI more and
> more. This is overdue.
> 
> Thanks, and may you all have a wonderful new year!
> 
> /Thomas Steen Rasmussen


This was added in head r258347 Nov 19 2013:
http://svnweb.freebsd.org/changeset/base/258347

It made it to stable/10 before 10.0 and into stable/9.

It works if you install ca_root_nss cert.pem:

> # pkg install ca_root_nss
> ...
> # ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
> ...
> # fetch -v -o - https://sni.velox.ch|head -n 15
> looking up sni.velox.ch
> connecting to sni.velox.ch:443
> SSL options: 81004bff
> Peer verification enabled
> Using CA cert file: /etc/ssl/cert.pem
> Verify hostname
> SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
> Certificate subject: /C=CH/ST=Zuerich/L=Zuerich/O=Kaspar Brand/CN=*.sni.velox.ch
> Certificate issuer: /C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
> requesting https://sni.velox.ch/
> -                                             <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html>
> <head>
>         5063  B<title>TLS SNI Test Site: *.sni.velox.ch</title>
> </head>
>   945 kBps<body>
>  00m00s<h2>TLS SNI Test Site: *.sni.velox.ch</h2>
> 
> 
> <p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong>
> sent the following TLS server name indication extension
> (<a href="http://www.rfc-editor.org/rfc/rfc6066.txt">RFC 6066</a>)
> in its ClientHello </strong>(negotiated protocol: TLSv1.2, cipher suite: ECDHE-RSA-AES256-GCM-SHA384)<strong>:</strong></p>
> <pre>  <strong>sni.velox.ch</strong></pre>
> <p>In your request, this header was included:</p>
> <pre>  Host: sni.velox.ch</pre>


I'm not sure what the plan is for a base CA file, but adding ca_root_nss
does allow it to work.

-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20140201/3306c935/attachment.sig>

More information about the freebsd-hackers mailing list