diff options
| author | jsing <> | 2021-12-26 14:46:06 +0000 |
|---|---|---|
| committer | jsing <> | 2021-12-26 14:46:06 +0000 |
| commit | f3991a23718fe2fc0de808e49e6ccb3bb5c65a9c (patch) | |
| tree | d1a9eebada238b72ab5a82503f8194ae0899ca34 /src | |
| parent | f7c59af989877070c21c0a28a978665209e75524 (diff) | |
| download | openbsd-f3991a23718fe2fc0de808e49e6ccb3bb5c65a9c.tar.gz openbsd-f3991a23718fe2fc0de808e49e6ccb3bb5c65a9c.tar.bz2 openbsd-f3991a23718fe2fc0de808e49e6ccb3bb5c65a9c.zip | |
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.bin/openssl/s_client.c | 44 |
1 files changed, 34 insertions, 10 deletions
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c index 1e932226b2..da6ef088b8 100644 --- a/src/usr.bin/openssl/s_client.c +++ b/src/usr.bin/openssl/s_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s_client.c,v 1.56 2021/10/25 11:47:39 jca Exp $ */ | 1 | /* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -219,6 +219,7 @@ static struct { | |||
| 219 | int msg; | 219 | int msg; |
| 220 | int nbio; | 220 | int nbio; |
| 221 | int nbio_test; | 221 | int nbio_test; |
| 222 | int no_servername; | ||
| 222 | char *npn_in; | 223 | char *npn_in; |
| 223 | unsigned int off; | 224 | unsigned int off; |
| 224 | char *passarg; | 225 | char *passarg; |
| @@ -634,6 +635,12 @@ static const struct option s_client_options[] = { | |||
| 634 | .value = SSL_OP_LEGACY_SERVER_CONNECT, | 635 | .value = SSL_OP_LEGACY_SERVER_CONNECT, |
| 635 | }, | 636 | }, |
| 636 | { | 637 | { |
| 638 | .name = "no_servername", | ||
| 639 | .desc = "Do not send a Server Name Indication (SNI) extension", | ||
| 640 | .type = OPTION_FLAG, | ||
| 641 | .opt.value = &s_client_config.no_servername, | ||
| 642 | }, | ||
| 643 | { | ||
| 637 | .name = "no_ssl2", | 644 | .name = "no_ssl2", |
| 638 | .type = OPTION_VALUE_OR, | 645 | .type = OPTION_VALUE_OR, |
| 639 | .opt.value = &s_client_config.off, | 646 | .opt.value = &s_client_config.off, |
| @@ -681,6 +688,11 @@ static const struct option s_client_options[] = { | |||
| 681 | .value = SSL_OP_NO_TLSv1_3, | 688 | .value = SSL_OP_NO_TLSv1_3, |
| 682 | }, | 689 | }, |
| 683 | { | 690 | { |
| 691 | .name = "noservername", | ||
| 692 | .type = OPTION_FLAG, | ||
| 693 | .opt.value = &s_client_config.no_servername, | ||
| 694 | }, | ||
| 695 | { | ||
| 684 | .name = "pass", | 696 | .name = "pass", |
| 685 | .argname = "arg", | 697 | .argname = "arg", |
| 686 | .desc = "Private key file pass phrase source", | 698 | .desc = "Private key file pass phrase source", |
| @@ -895,6 +907,7 @@ s_client_main(int argc, char **argv) | |||
| 895 | int cbuf_len, cbuf_off; | 907 | int cbuf_len, cbuf_off; |
| 896 | int sbuf_len, sbuf_off; | 908 | int sbuf_len, sbuf_off; |
| 897 | int full_log = 1; | 909 | int full_log = 1; |
| 910 | const char *servername; | ||
| 898 | char *pass = NULL; | 911 | char *pass = NULL; |
| 899 | X509 *cert = NULL; | 912 | X509 *cert = NULL; |
| 900 | EVP_PKEY *key = NULL; | 913 | EVP_PKEY *key = NULL; |
| @@ -1066,12 +1079,6 @@ s_client_main(int argc, char **argv) | |||
| 1066 | if (!SSL_CTX_set_default_verify_paths(ctx)) | 1079 | if (!SSL_CTX_set_default_verify_paths(ctx)) |
| 1067 | ERR_print_errors(bio_err); | 1080 | ERR_print_errors(bio_err); |
| 1068 | 1081 | ||
| 1069 | if (s_client_config.servername != NULL) { | ||
| 1070 | tlsextcbp.biodebug = bio_err; | ||
| 1071 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); | ||
| 1072 | SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); | ||
| 1073 | } | ||
| 1074 | |||
| 1075 | con = SSL_new(ctx); | 1082 | con = SSL_new(ctx); |
| 1076 | if (s_client_config.sess_in) { | 1083 | if (s_client_config.sess_in) { |
| 1077 | SSL_SESSION *sess; | 1084 | SSL_SESSION *sess; |
| @@ -1093,15 +1100,32 @@ s_client_main(int argc, char **argv) | |||
| 1093 | SSL_set_session(con, sess); | 1100 | SSL_set_session(con, sess); |
| 1094 | SSL_SESSION_free(sess); | 1101 | SSL_SESSION_free(sess); |
| 1095 | } | 1102 | } |
| 1096 | if (s_client_config.servername != NULL) { | 1103 | |
| 1097 | if (!SSL_set_tlsext_host_name(con, s_client_config.servername)) { | 1104 | /* Attempt to opportunistically use the host name for SNI. */ |
| 1105 | servername = s_client_config.servername; | ||
| 1106 | if (servername == NULL) | ||
| 1107 | servername = s_client_config.host; | ||
| 1108 | |||
| 1109 | if (!s_client_config.no_servername && servername != NULL && | ||
| 1110 | !SSL_set_tlsext_host_name(con, servername)) { | ||
| 1111 | long ssl_err = ERR_peek_error(); | ||
| 1112 | |||
| 1113 | if (s_client_config.servername != NULL || | ||
| 1114 | ERR_GET_LIB(ssl_err) != ERR_LIB_SSL || | ||
| 1115 | ERR_GET_REASON(ssl_err) != SSL_R_SSL3_EXT_INVALID_SERVERNAME) { | ||
| 1098 | BIO_printf(bio_err, | 1116 | BIO_printf(bio_err, |
| 1099 | "Unable to set TLS servername extension.\n"); | 1117 | "Unable to set TLS servername extension.\n"); |
| 1100 | ERR_print_errors(bio_err); | 1118 | ERR_print_errors(bio_err); |
| 1101 | goto end; | 1119 | goto end; |
| 1102 | } | 1120 | } |
| 1121 | servername = NULL; | ||
| 1122 | ERR_clear_error(); | ||
| 1123 | } | ||
| 1124 | if (!s_client_config.no_servername && servername != NULL) { | ||
| 1125 | tlsextcbp.biodebug = bio_err; | ||
| 1126 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); | ||
| 1127 | SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); | ||
| 1103 | } | 1128 | } |
| 1104 | /* SSL_set_cipher_list(con,"RC4-MD5"); */ | ||
| 1105 | 1129 | ||
| 1106 | re_start: | 1130 | re_start: |
| 1107 | 1131 | ||