Sometimes I don't want gnutls-cli to send SNI. The two ways i see to do this currently are:
0) do the DNS resolution outside of gnutls-cli:
gnutls-cli $(dig +short foo.example | head -n1)
1) disable all TLS extensions:
gnutls-cli --disable-extensions
The problem with (0) of course is that the certificate verification
fails because gnutls-cli doesn't know what to check for.
The problem with (1) is that sometimes i'd like to use other extensions
while avoiding SNI. And gnutls-cli(1) claims it's deprecated:
> This option disables all TLS extensions. Deprecated option. Use the priority
> string.
But i don't see how to use the priority string to disable SNI itself.
src/cli.c doesn't seem to offer a way to do it:
-------------
if (disable_extensions == 0)
{
if (!isdigit(hostname[0]) && strchr(hostname, ':') == 0)
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
}
-------------
I'm currently trying to make a patch for a --disable-sni flag to
gnutls-cli (does something like that sound useful?), but i seem to be
stumbling over some of the generated files that are committed to the git
repo.
The attached patch seems like the nice minimal thing to add, but then it
appears to be necessary to also do:
cd src && autogen cli-args.def
But that creates a much larger and more opaque patch, and then compilation
fails (perhaps because my system has autogen 5.17.1 and the existing
other autogen'ed headers appear to be from autogen 5.16).
The compilation failure looks like this:
CC libcmd_cli_la-cli-args.lo
In file included from cli-args.c:44:0:
cli-args.h:62:3: error: #error option template version mismatches
autoopts/options.h header
cli-args.h:63:3: error: unknown type name 'Choke'
cli-args.h:63:11: error: expected '=', ',', ';', 'asm' or '__attribute__'
before '.' token
cli-args.h:117:3: warning: data definition has no type or storage class
[enabled by default]
cli-args.h:117:3: warning: type defaults to 'int' in declaration of
'teOptIndex' [enabled by default]
cli-args.c:1190:29: error: 'INDEX_OPT_VERSION' undeclared here (not in a
function)
cli-args.c:1204:29: error: 'INDEX_OPT_HELP' undeclared here (not in a function)
cli-args.c:1216:29: error: 'INDEX_OPT_MORE_HELP' undeclared here (not in a
function)
cli-args.c: In function 'AO_gettext':
cli-args.c:1583:9: error: 'option_xlateable_txt' undeclared (first use in this
function)
cli-args.c:1583:9: note: each undeclared identifier is reported only once for
each function it appears in
cli-args.c: In function 'translate_option_strings':
cli-args.c:1622:9: error: 'option_xlateable_txt' undeclared (first use in this
function)
make[4]: *** [libcmd_cli_la-cli-args.lo] Error 1
make[4]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls'
make: *** [all] Error 2
2 dkg@alice:/tmp/cdtemp.TdCJYy/gnutls$
any ideas about how i should proceed with this?
Regards,
--dkg
commit b8eb1c76a2dc847a671c991374f90d8ef8566c1b Author: Daniel Kahn Gillmor <[email protected]> Date: Tue Jan 29 15:00:56 2013 -0500 add --disable-cli to gnutls-cli diff --git a/src/cli-args.def b/src/cli-args.def index ea976ed..5e663c0 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -308,6 +308,12 @@ flag = { doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown."; }; +flag = { + name = disable-sni; + descrip = "Do not send a Server Name Indication (SNI)"; + doc = ""; +}; + doc-section = { diff --git a/src/cli.c b/src/cli.c index a134daa..fa98f81 100644 --- a/src/cli.c +++ b/src/cli.c @@ -88,6 +88,7 @@ const char *x509_cafile = NULL; const char *x509_crlfile = NULL; static int x509ctype; static int disable_extensions; +static int disable_sni; static unsigned int init_flags = GNUTLS_CLIENT; static const char * priorities = NULL; @@ -630,7 +631,7 @@ init_tls_session (const char *hostname) /* allow the use of private ciphersuites. */ - if (disable_extensions == 0) + if (disable_extensions == 0 && disable_sni == 0) { if (!isdigit(hostname[0]) && strchr(hostname, ':') == 0) gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, @@ -1131,6 +1132,7 @@ const char* rest = NULL; exit(0); } + disable_sni = HAVE_OPT(DISABLE_SNI); disable_extensions = HAVE_OPT( DISABLE_EXTENSIONS); if (disable_extensions) init_flags |= GNUTLS_NO_EXTENSIONS;
pgpIogCrgfaDk.pgp
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
