summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libtls/tls_server.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index fd5a617582..394cea1e8d 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_server.c,v 1.39 2017/06/22 18:03:57 jsing Exp $ */ 1/* $OpenBSD: tls_server.c,v 1.40 2017/07/05 15:38:35 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -91,10 +91,16 @@ tls_servername_cb(SSL *ssl, int *al, void *arg)
91 return (SSL_TLSEXT_ERR_NOACK); 91 return (SSL_TLSEXT_ERR_NOACK);
92 } 92 }
93 93
94 /* Per RFC 6066 section 3: ensure that name is not an IP literal. */ 94 /*
95 * Per RFC 6066 section 3: ensure that name is not an IP literal.
96 *
97 * While we should treat this as an error, a number of clients
98 * (Python, Ruby and Safari) are not RFC compliant. To avoid handshake
99 * failures, pretend that we did not receive the extension.
100 */
95 if (inet_pton(AF_INET, name, &addrbuf) == 1 || 101 if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
96 inet_pton(AF_INET6, name, &addrbuf) == 1) 102 inet_pton(AF_INET6, name, &addrbuf) == 1)
97 goto err; 103 return (SSL_TLSEXT_ERR_NOACK);
98 104
99 free((char *)conn_ctx->servername); 105 free((char *)conn_ctx->servername);
100 if ((conn_ctx->servername = strdup(name)) == NULL) 106 if ((conn_ctx->servername = strdup(name)) == NULL)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 19:25:24 +0000