On Thu, 15 Dec 2011 01:43:42 +0100 BohwaZ wrote:
> So it appears that Fossil doesn't support SNI.
>
> I did a small patch in src/http_ssl.c and it seems to work, but maybe
> it's not the best code for that purpose as I usually don't work in C:
>
> 214a215
> > SSL_set_tlsext_host_name(ssl, g.urlName);
This seems correct to me. I expanded your patch a bit to show a warning
if we fail to set SNI. I also simpified setting of the connection port.
Richard, should I commit this into trunk?
Index: src/http_ssl.c
==================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -193,11 +193,11 @@
*/
int ssl_open(void){
X509 *cert;
int hasSavedCertificate = 0;
int trusted = 0;
- char *connStr ;
+ char *connStr;
unsigned long e;
ssl_global_init();
/* Get certificate for current server from global config and
@@ -210,20 +210,25 @@
hasSavedCertificate = 1;
}
iBio = BIO_new_ssl_connect(sslCtx);
BIO_get_ssl(iBio, &ssl);
+
+ if( !SSL_set_tlsext_host_name(ssl, g.urlName) ){
+ fossil_warning("WARNING: failed to set server name indication (SNI), "
+ "continuing without it.\n");
+ }
+
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
if( iBio==NULL ) {
ssl_set_errmsg("SSL: cannot open SSL (%s)",
ERR_reason_error_string(ERR_get_error()));
- return 1;
+ return 1;
}
-
- connStr = mprintf("%s:%d", g.urlName, g.urlPort);
- BIO_set_conn_hostname(iBio, connStr);
- free(connStr);
+
+ BIO_set_conn_hostname(iBio, g.urlName);
+ BIO_set_conn_int_port(iBio, &g.urlPort);
if( BIO_do_connect(iBio)<=0 ){
ssl_set_errmsg("SSL: cannot connect to host %s:%d (%s)",
g.urlName, g.urlPort, ERR_reason_error_string(ERR_get_error()));
ssl_close();
--
Dmitry Chestnykh
http://www.codingrobots.com
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
