* [RFH/PATCH] imap-send: support SNI (RFC4366)
@ 2013-02-21 0:18 Junio C Hamano
2013-02-21 5:35 ` Junio C Hamano
0 siblings, 1 reply; 3+ messages in thread
From: Junio C Hamano @ 2013-02-21 0:18 UTC (permalink / raw
To: git
To talk to a site that serves multiple names on a single IP address,
the client needs to ask for the specific hostname it wants to talk
to. Otherwise, the default certificate returned from the IP address
may not match that of the host we wanted to talk to.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
* I need help from people on this patch in two areas:
(1) I only tested this patch by connecting to https://googlemail.com/
with
$ git -c imap.host=imaps://googlemail.com -c imap.port=443 imap-send <this-patch.txt
as it is the only site I knew clients needs to talk SNI to get
the right certificate to verify; of course the port does not
talk imap, and the only thing that is tested by that approach is
we successfully establish an SSL/TLS connection. Without the
patch, we fail to verify the certificate (we get a cert that is
for another hostname that is hosted at the same IP address), and
with the patch, we successfully get the right one.
I would appreciate it if somebody knows an imap server that
needs SNI and runs an end-to-end test against that server.
(2) I do not know if everybody has SSL_set_tslext_host_name() macro
defined, so this patch may be breaking build for people with
different versions of OpenSSL.
imap-send.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/imap-send.c b/imap-send.c
index 171c887..d9abd8b 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -370,6 +370,15 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve
return -1;
}
+ /*
+ * SNI (RFC4366)
+ * OpenSSL does not document this function, but the implementation
+ * returns 1 on success, 0 on failure after calling SSLerr().
+ */
+ ret = SSL_set_tlsext_host_name(sock->ssl, server.host);
+ if (ret != 1)
+ warning("SSL_set_tslext_host_name(%s) failed.\n", server.host);
+
ret = SSL_connect(sock->ssl);
if (ret <= 0) {
socket_perror("SSL_connect", sock, ret);
--
1.8.2.rc0.106.ga6e4a61
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [RFH/PATCH] imap-send: support SNI (RFC4366)
2013-02-21 0:18 [RFH/PATCH] imap-send: support SNI (RFC4366) Junio C Hamano
@ 2013-02-21 5:35 ` Junio C Hamano
2013-02-21 5:48 ` Jeff King
0 siblings, 1 reply; 3+ messages in thread
From: Junio C Hamano @ 2013-02-21 5:35 UTC (permalink / raw
To: git
Junio C Hamano <gitster@pobox.com> writes:
> To talk to a site that serves multiple names on a single IP address,
> the client needs to ask for the specific hostname it wants to talk
> to. Otherwise, the default certificate returned from the IP address
> may not match that of the host we wanted to talk to.
>
> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> ---
>
> * I need help from people on this patch in two areas:
>
> (1) I only tested this patch by connecting to https://googlemail.com/
> with
> ...
> I would appreciate it if somebody knows an imap server that
> needs SNI and runs an end-to-end test against that server.
>
> (2) I do not know if everybody has SSL_set_tslext_host_name() macro
> defined, so this patch may be breaking build for people with
> different versions of OpenSSL.
What I queued for tonight replaces the posted patch with this
version in order to address (2) above.
-- >8 --
Subject: [PATCH] imap-send: support SNI (RFC4366)
To talk with some sites that serve multiple names on a single IP
address, the client needs to ask for the specific host it wants to
talk to.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
imap-send.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/imap-send.c b/imap-send.c
index 171c887..ab2098a 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -370,6 +370,17 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve
return -1;
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ /*
+ * SNI (RFC4366)
+ * OpenSSL does not document this function, but the implementation
+ * returns 1 on success, 0 on failure after calling SSLerr().
+ */
+ ret = SSL_set_tlsext_host_name(sock->ssl, server.host);
+ if (ret != 1)
+ warning("SSL_set_tslext_host_name(%s) failed.\n", server.host);
+#endif
+
ret = SSL_connect(sock->ssl);
if (ret <= 0) {
socket_perror("SSL_connect", sock, ret);
--
1.8.2.rc0.127.g4d5d7da
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [RFH/PATCH] imap-send: support SNI (RFC4366)
2013-02-21 5:35 ` Junio C Hamano
@ 2013-02-21 5:48 ` Jeff King
0 siblings, 0 replies; 3+ messages in thread
From: Jeff King @ 2013-02-21 5:48 UTC (permalink / raw
To: Junio C Hamano; +Cc: git
On Wed, Feb 20, 2013 at 09:35:16PM -0800, Junio C Hamano wrote:
>> (2) I do not know if everybody has SSL_set_tslext_host_name() macro
>> defined, so this patch may be breaking build for people with
>> different versions of OpenSSL.
> [...]
>
> +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
> + /*
> + * SNI (RFC4366)
> + * OpenSSL does not document this function, but the implementation
> + * returns 1 on success, 0 on failure after calling SSLerr().
> + */
> + ret = SSL_set_tlsext_host_name(sock->ssl, server.host);
> + if (ret != 1)
> + warning("SSL_set_tslext_host_name(%s) failed.\n", server.host);
> +#endif
Yes, I think this is the right macro to check. According to OpenSSL's
CHANGES file, it was introduced between 0.9.8n and 1.0.0 (Mar 2010). But
I note that the use of the same macro in libcurl dates to 2008. Curious.
Note that you have a typo in your warning text (tslext) and an
extra newline.
As far as testing goes, I don't have an SNI IMAP server handy, but I
think you can simulate one with "openssl s_server". It may be a good
long-term goal to test any ssl-specific code against that in our test
suite (on the other hand, most of the interesting stuff is https, where
the details are all handled by curl).
-Peff
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-02-21 5:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-21 0:18 [RFH/PATCH] imap-send: support SNI (RFC4366) Junio C Hamano
2013-02-21 5:35 ` Junio C Hamano
2013-02-21 5:48 ` Jeff King
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).