Bug#725830: [proxytunnel] SNI TLS support
On Tue, Oct 08, 2013 at 11:14:26PM +0200, Nicolas Vinot wrote:
Package: proxytunnel
Version: 1.9.0-6
Severity: wishlist
Tags: patch
Hello Debian maintainers,
Here is a tiny patch to add SNI support to proxytunnel.
Tested with my remote apache proxy, seems working and allow to not reserve
the
default apache vhost for proxytunnel and really use a full dedicated vhost
for
proxying.
Could you integrate it to your next version ?
I will try to propagate it upstream, but because the OpenSSL to GNUTLS Debian
patch, it's not possible immediatly.
Hello Nicolas!
Thanks for this patch. I've just uploaded version 1.9.0+svn250-1 to
unstable, which reverts to using OpenSSL (due to a change in license
conditions allowing this to happen). I've tried writing a version of
your patch for OpenSSL, which seems to work. Attached is the patch
I've used (in comparison to 1.9.0+svn250-1, not including the
changelog); does this seem to be correct to you? If so, I'll upload
-2 to unstable.
Best wishes,
Julian
--- a/ptstream.c
+++ b/ptstream.c
@@ -161,13 +161,24 @@
#ifdef USE_SSL
SSL *ssl;
SSL_CTX *ctx;
-
+ int ret;
+
/* Initialise the connection */
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new (SSLv3_client_method());
ssl = SSL_new (ctx);
+
+ if (args_info.verbose_flag) {
+ message(Set SNI hostname to %s\n, args_info.proxyhost_arg);
+ }
+ ret = SSL_set_tlsext_host_name(ssl, args_info.proxyhost_arg);
+ if (!ret) {
+ message(TLS SNI error, giving up: SSL_set_tlsext_host_name
failed\n);
+ exit(1);
+ }
+
SSL_set_rfd (ssl, stream_get_incoming_fd(pts));
SSL_set_wfd (ssl, stream_get_outgoing_fd(pts));
SSL_connect (ssl);
Bug#725830: Re: Bug#725830: [proxytunnel] SNI TLS support
Attached is the patch I've used (in comparison to 1.9.0+svn250-1, not including the changelog); does this seem to be correct to you? If so, I'll upload -2 to unstable. Hi Julian, Seems good and working :) Thanks, -- Nicolas signature.asc Description: This is a digitally signed message part.
Bug#725830: [proxytunnel] SNI TLS support
Package: proxytunnel
Version: 1.9.0-6
Severity: wishlist
Tags: patch
--- Please enter the report below this line. ---
Hello Debian maintainers,
Here is a tiny patch to add SNI support to proxytunnel.
Tested with my remote apache proxy, seems working and allow to not reserve the
default apache vhost for proxytunnel and really use a full dedicated vhost for
proxying.
Could you integrate it to your next version ?
I will try to propagate it upstream, but because the OpenSSL to GNUTLS Debian
patch, it's not possible immediatly.
Regards
--- System information. ---
Architecture: amd64
Kernel: Linux 3.10-3-amd64
--- Package information. ---
Depends (Version) | Installed
==-+-===
libc6(= 2.15) | 2.17-93
libgnutls26 (= 2.12.17-0) | 2.12.23-7
libmhash2 | 0.9.9.9-3
--
Nicolas VinotDescription: Server Name Indication support
See RFC #3546 (https://tools.ietf.org/html/rfc3546#section-3.1)
Author: Nicolas Vinot aeris+deb...@imirhil.fr
Forwarded: no
Last-Update: 2013-10-08
--- a/ptstream.c
+++ b/ptstream.c
@@ -164,13 +164,21 @@
int stream_enable_ssl(PTSTREAM *pts) {
#ifdef USE_SSL
int ret;
-
+
/* Initialise the context, copied from example in GNUTLS manual */
gnutls_init(pts-session, GNUTLS_CLIENT);
gnutls_priority_set_direct(pts-session, PERFORMANCE, NULL);
/* gnutls_credentials_set(pts-session, GNUTLS_CRD_ANON, anoncred); */
/* Use X.509 rather than anonymous */
gnutls_credentials_set(pts-session, GNUTLS_CRD_CERTIFICATE, xcred);
+ if ( args_info.verbose_flag ) {
+ message( Set SNI hostname to %s\n, args_info.proxyhost_arg );
+ }
+ ret = gnutls_server_name_set(pts-session, GNUTLS_NAME_DNS, args_info.proxyhost_arg, strlen(args_info.proxyhost_arg));
+ if (ret 0) {
+ message( TLS SNI error, giving up: gnutls_server_name_set returned error message:\n %s\n, gnutls_strerror(ret) );
+ exit( 1 );
+ }
gnutls_transport_set_ptr2(pts-session,
(gnutls_transport_ptr_t) stream_get_incoming_fd(pts),
signature.asc
Description: This is a digitally signed message part.
