On Tue, Oct 08, 2013 at 11:14:26PM +0200, Nicolas Vinot wrote: > Package: proxytunnel > Version: 1.9.0-6 > Severity: wishlist > Tags: patch > > Hello Debian maintainers, > > Here is a tiny patch to add SNI support to proxytunnel. > Tested with my remote apache proxy, seems working and allow to not reserve > the > default apache vhost for proxytunnel and really use a full dedicated vhost > for > proxying. > Could you integrate it to your next version ? > > I will try to propagate it upstream, but because the OpenSSL to GNUTLS Debian > patch, it's not possible immediatly.
Hello Nicolas! Thanks for this patch. I've just uploaded version 1.9.0+svn250-1 to unstable, which reverts to using OpenSSL (due to a change in license conditions allowing this to happen). I've tried writing a version of your patch for OpenSSL, which seems to work. Attached is the patch I've used (in comparison to 1.9.0+svn250-1, not including the changelog); does this seem to be correct to you? If so, I'll upload -2 to unstable. Best wishes, Julian
--- a/ptstream.c +++ b/ptstream.c @@ -161,13 +161,24 @@ #ifdef USE_SSL SSL *ssl; SSL_CTX *ctx; - + int ret; + /* Initialise the connection */ SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); ctx = SSL_CTX_new (SSLv3_client_method()); ssl = SSL_new (ctx); + + if (args_info.verbose_flag) { + message("Set SNI hostname to %s\n", args_info.proxyhost_arg); + } + ret = SSL_set_tlsext_host_name(ssl, args_info.proxyhost_arg); + if (!ret) { + message("TLS SNI error, giving up: SSL_set_tlsext_host_name failed\n"); + exit(1); + } + SSL_set_rfd (ssl, stream_get_incoming_fd(pts)); SSL_set_wfd (ssl, stream_get_outgoing_fd(pts)); SSL_connect (ssl);