Bug#725830: [proxytunnel] SNI TLS support
On Tue, Oct 08, 2013 at 11:14:26PM +0200, Nicolas Vinot wrote: Package: proxytunnel Version: 1.9.0-6 Severity: wishlist Tags: patch Hello Debian maintainers, Here is a tiny patch to add SNI support to proxytunnel. Tested with my remote apache proxy, seems working and allow to not reserve the default apache vhost for proxytunnel and really use a full dedicated vhost for proxying. Could you integrate it to your next version ? I will try to propagate it upstream, but because the OpenSSL to GNUTLS Debian patch, it's not possible immediatly. Hello Nicolas! Thanks for this patch. I've just uploaded version 1.9.0+svn250-1 to unstable, which reverts to using OpenSSL (due to a change in license conditions allowing this to happen). I've tried writing a version of your patch for OpenSSL, which seems to work. Attached is the patch I've used (in comparison to 1.9.0+svn250-1, not including the changelog); does this seem to be correct to you? If so, I'll upload -2 to unstable. Best wishes, Julian --- a/ptstream.c +++ b/ptstream.c @@ -161,13 +161,24 @@ #ifdef USE_SSL SSL *ssl; SSL_CTX *ctx; - + int ret; + /* Initialise the connection */ SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); ctx = SSL_CTX_new (SSLv3_client_method()); ssl = SSL_new (ctx); + + if (args_info.verbose_flag) { + message(Set SNI hostname to %s\n, args_info.proxyhost_arg); + } + ret = SSL_set_tlsext_host_name(ssl, args_info.proxyhost_arg); + if (!ret) { + message(TLS SNI error, giving up: SSL_set_tlsext_host_name failed\n); + exit(1); + } + SSL_set_rfd (ssl, stream_get_incoming_fd(pts)); SSL_set_wfd (ssl, stream_get_outgoing_fd(pts)); SSL_connect (ssl);
Bug#725830: Re: Bug#725830: [proxytunnel] SNI TLS support
Attached is the patch I've used (in comparison to 1.9.0+svn250-1, not including the changelog); does this seem to be correct to you? If so, I'll upload -2 to unstable. Hi Julian, Seems good and working :) Thanks, -- Nicolas signature.asc Description: This is a digitally signed message part.
Bug#725830: [proxytunnel] SNI TLS support
Package: proxytunnel Version: 1.9.0-6 Severity: wishlist Tags: patch --- Please enter the report below this line. --- Hello Debian maintainers, Here is a tiny patch to add SNI support to proxytunnel. Tested with my remote apache proxy, seems working and allow to not reserve the default apache vhost for proxytunnel and really use a full dedicated vhost for proxying. Could you integrate it to your next version ? I will try to propagate it upstream, but because the OpenSSL to GNUTLS Debian patch, it's not possible immediatly. Regards --- System information. --- Architecture: amd64 Kernel: Linux 3.10-3-amd64 --- Package information. --- Depends (Version) | Installed ==-+-=== libc6(= 2.15) | 2.17-93 libgnutls26 (= 2.12.17-0) | 2.12.23-7 libmhash2 | 0.9.9.9-3 -- Nicolas VinotDescription: Server Name Indication support See RFC #3546 (https://tools.ietf.org/html/rfc3546#section-3.1) Author: Nicolas Vinot aeris+deb...@imirhil.fr Forwarded: no Last-Update: 2013-10-08 --- a/ptstream.c +++ b/ptstream.c @@ -164,13 +164,21 @@ int stream_enable_ssl(PTSTREAM *pts) { #ifdef USE_SSL int ret; - + /* Initialise the context, copied from example in GNUTLS manual */ gnutls_init(pts-session, GNUTLS_CLIENT); gnutls_priority_set_direct(pts-session, PERFORMANCE, NULL); /* gnutls_credentials_set(pts-session, GNUTLS_CRD_ANON, anoncred); */ /* Use X.509 rather than anonymous */ gnutls_credentials_set(pts-session, GNUTLS_CRD_CERTIFICATE, xcred); + if ( args_info.verbose_flag ) { + message( Set SNI hostname to %s\n, args_info.proxyhost_arg ); + } + ret = gnutls_server_name_set(pts-session, GNUTLS_NAME_DNS, args_info.proxyhost_arg, strlen(args_info.proxyhost_arg)); + if (ret 0) { + message( TLS SNI error, giving up: gnutls_server_name_set returned error message:\n %s\n, gnutls_strerror(ret) ); + exit( 1 ); + } gnutls_transport_set_ptr2(pts-session, (gnutls_transport_ptr_t) stream_get_incoming_fd(pts), signature.asc Description: This is a digitally signed message part.