TLS supports sending the expected server hostname during the handshake, via the SNI extension. This can be used to select a server certificate to issue to the client, permitting virtual-hosting without requiring multiple IP addresses.
I had this lying around in my hg checkout for, uhm, a couple of years; I never tested it, because I don't know of any IMAP servers which actually use this, but it's hopefully correct-by-inspection. I made similar changes back then to a number of other pieces of software, so this was one of a set and all the others worked fine. FWIW, this was part of the binary I used for testing the next patch I'll post, which was tested in connecting to Gmail with IMAPS, so it didn't break connecting to Gmail. At some point (far down my todo list), I'm likely to add SNI server-side support to Exim as an MTA, so I'll be happy to have mutt as a client for the SMTP/TLS side of that. Regards, -Phil
# HG changeset patch # User Phil Pennock <[email protected]> # Date 1312190773 14400 # Branch HEAD # Node ID a1e4667211b4c5f2dcca06ad8f352cb86dac94c3 # Parent b01d63af6feab5e0b791ad12b04a1068d6a41cf6 OpenSSL SNI support diff --git a/README.SSL b/README.SSL --- a/README.SSL +++ b/README.SSL @@ -5,7 +5,7 @@ Compilation ----------- If you want to have SSL support in mutt, you need to install OpenSSL (http://www.openssl.org) libraries and headers before compiling. -OpenSSL versions 0.9.3 through 0.9.6a have been tested. +OpenSSL versions 0.9.3 through 0.9.8k have been tested. For SSL support to be enabled, you need to run the ``configure'' script with ``--enable-imap --with-ssl[=PFX]'' parameters. If the @@ -65,6 +65,12 @@ certificate, the connection will be esta can also be saved so that further connections to the server are automatically accepted. +If OpenSSL was built with support for ServerNameIndication (SNI) and TLS +is used in the negotiation, mutt will send its idea of the server-name +as part of the TLS negotiation. This allows the server to select an +appropriate certificate, in the event that one server handles multiple +hostnames with different certificates. + If your organization has several equivalent IMAP-servers, each of them should have a unique certificate which is signed with a common certificate. If you want to use all of those servers, you don't need to @@ -102,9 +108,15 @@ you know which options do not work, you protocols to know. The variables for the protocols are ssl_use_tlsv1, ssl_use_sslv2, and ssl_use_sslv3. +To verify TLS SNI, you can use: + openssl sl_client -host <imap server> -port <port> \ + -tls1 -servername <imap server> + + -- Tommi Komulainen [email protected] -Updated by Jeremy Katz [email protected] +Updated by: + Jeremy Katz <[email protected]> + Phil Pennock <[email protected]> diff --git a/mutt_ssl.c b/mutt_ssl.c --- a/mutt_ssl.c +++ b/mutt_ssl.c @@ -344,6 +344,20 @@ static int ssl_negotiate (CONNECTION *co SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY); #endif +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) + /* TLS Virtual-hosting requires that the server present the correct + * certificate; to do this, the ServerNameIndication TLS extension is used. + * If TLS is negotiated, and OpenSSL is recent enough that it might have + * support, and support was enabled when OpenSSL was built, mutt supports + * sending the hostname we think we're connecting to, so a server can send + * back the correct certificate. + * NB: finding a server which uses this for IMAP is problematic, so this is + * untested. Please report success or failure! However, this code change + * has worked fine in other projects to which the contributor has added it, + * for HTTP usage. */ + SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host); +#endif + if ((err = SSL_connect (ssldata->ssl)) != 1) { switch (SSL_get_error (ssldata->ssl, err))
