On Monday, 01 August 2011 at 07:18, Phil Pennock wrote:
> TLS supports sending the expected server hostname during the handshake,
> via the SNI extension. This can be used to select a server certificate
> to issue to the client, permitting virtual-hosting without requiring
> multiple IP addresses.
>
> I had this lying around in my hg checkout for, uhm, a couple of years; I
> never tested it, because I don't know of any IMAP servers which actually
> use this, but it's hopefully correct-by-inspection. I made similar
> changes back then to a number of other pieces of software, so this was
> one of a set and all the others worked fine.
>
> FWIW, this was part of the binary I used for testing the next patch I'll
> post, which was tested in connecting to Gmail with IMAPS, so it didn't
> break connecting to Gmail.
>
> At some point (far down my todo list), I'm likely to add SNI server-side
> support to Exim as an MTA, so I'll be happy to have mutt as a client for
> the SMTP/TLS side of that.
>
> Regards,
> -Phil
> diff --git a/mutt_ssl.c b/mutt_ssl.c
> +++ b/mutt_ssl.c
> @@ -344,6 +344,20 @@ static int ssl_negotiate (CONNECTION *co
> SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
> #endif
>
> +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
> + /* TLS Virtual-hosting requires that the server present the correct
> + * certificate; to do this, the ServerNameIndication TLS extension is used.
> + * If TLS is negotiated, and OpenSSL is recent enough that it might have
> + * support, and support was enabled when OpenSSL was built, mutt supports
> + * sending the hostname we think we're connecting to, so a server can send
> + * back the correct certificate.
> + * NB: finding a server which uses this for IMAP is problematic, so this is
> + * untested. Please report success or failure! However, this code change
> + * has worked fine in other projects to which the contributor has added it,
> + * for HTTP usage. */
> + SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host);
> +#endif
> +
> if ((err = SSL_connect (ssldata->ssl)) != 1)
> {
> switch (SSL_get_error (ssldata->ssl, err))
I'd prefer an autoconf test for SSL_set_tlsext_host_name instead of
the version check above. I think it's more reliable.
