On Tue, Oct 08, 2013 at 11:14:26PM +0200, Nicolas Vinot wrote:
> Package: proxytunnel
> Version: 1.9.0-6
> Severity: wishlist
> Tags: patch
>
> Hello Debian maintainers,
>
> Here is a tiny patch to add SNI support to proxytunnel.
> Tested with my remote apache proxy, seems working and allow to not reserve
> the
> default apache vhost for proxytunnel and really use a full dedicated vhost
> for
> proxying.
> Could you integrate it to your next version ?
>
> I will try to propagate it upstream, but because the OpenSSL to GNUTLS Debian
> patch, it's not possible immediatly.
Hello Nicolas!
Thanks for this patch. I've just uploaded version 1.9.0+svn250-1 to
unstable, which reverts to using OpenSSL (due to a change in license
conditions allowing this to happen). I've tried writing a version of
your patch for OpenSSL, which seems to work. Attached is the patch
I've used (in comparison to 1.9.0+svn250-1, not including the
changelog); does this seem to be correct to you? If so, I'll upload
-2 to unstable.
Best wishes,
Julian
--- a/ptstream.c
+++ b/ptstream.c
@@ -161,13 +161,24 @@
#ifdef USE_SSL
SSL *ssl;
SSL_CTX *ctx;
-
+ int ret;
+
/* Initialise the connection */
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new (SSLv3_client_method());
ssl = SSL_new (ctx);
+
+ if (args_info.verbose_flag) {
+ message("Set SNI hostname to %s\n", args_info.proxyhost_arg);
+ }
+ ret = SSL_set_tlsext_host_name(ssl, args_info.proxyhost_arg);
+ if (!ret) {
+ message("TLS SNI error, giving up: SSL_set_tlsext_host_name
failed\n");
+ exit(1);
+ }
+
SSL_set_rfd (ssl, stream_get_incoming_fd(pts));
SSL_set_wfd (ssl, stream_get_outgoing_fd(pts));
SSL_connect (ssl);
