On Thu, 15 Dec 2011 01:43:42 +0100 BohwaZ wrote: > So it appears that Fossil doesn't support SNI. > > I did a small patch in src/http_ssl.c and it seems to work, but maybe > it's not the best code for that purpose as I usually don't work in C: > > 214a215 > > SSL_set_tlsext_host_name(ssl, g.urlName);
This seems correct to me. I expanded your patch a bit to show a warning if we fail to set SNI. I also simpified setting of the connection port. Richard, should I commit this into trunk? Index: src/http_ssl.c ================================================================== --- src/http_ssl.c +++ src/http_ssl.c @@ -193,11 +193,11 @@ */ int ssl_open(void){ X509 *cert; int hasSavedCertificate = 0; int trusted = 0; - char *connStr ; + char *connStr; unsigned long e; ssl_global_init(); /* Get certificate for current server from global config and @@ -210,20 +210,25 @@ hasSavedCertificate = 1; } iBio = BIO_new_ssl_connect(sslCtx); BIO_get_ssl(iBio, &ssl); + + if( !SSL_set_tlsext_host_name(ssl, g.urlName) ){ + fossil_warning("WARNING: failed to set server name indication (SNI), " + "continuing without it.\n"); + } + SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); if( iBio==NULL ) { ssl_set_errmsg("SSL: cannot open SSL (%s)", ERR_reason_error_string(ERR_get_error())); - return 1; + return 1; } - - connStr = mprintf("%s:%d", g.urlName, g.urlPort); - BIO_set_conn_hostname(iBio, connStr); - free(connStr); + + BIO_set_conn_hostname(iBio, g.urlName); + BIO_set_conn_int_port(iBio, &g.urlPort); if( BIO_do_connect(iBio)<=0 ){ ssl_set_errmsg("SSL: cannot connect to host %s:%d (%s)", g.urlName, g.urlPort, ERR_reason_error_string(ERR_get_error())); ssl_close(); -- Dmitry Chestnykh http://www.codingrobots.com _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users