1 files changed, 34 insertions, 10 deletions
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 1e932226b2..da6ef088b8 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.56 2021/10/25 11:47:39 jca Exp $ */
+/* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -219,6 +219,7 @@ static struct {
        int msg;
        int nbio;
        int nbio_test;
+        int no_servername;
        char *npn_in;
        unsigned int off;
        char *passarg;
@@ -634,6 +635,12 @@ static const struct option s_client_options[] = {
                .value = SSL_OP_LEGACY_SERVER_CONNECT,
        },
        {
+                .name = "no_servername",
+                .desc = "Do not send a Server Name Indication (SNI) extension",
+                .type = OPTION_FLAG,
+                .opt.value = &s_client_config.no_servername,
+        },
+        {
                .name = "no_ssl2",
                .type = OPTION_VALUE_OR,
                .opt.value = &s_client_config.off,
@@ -681,6 +688,11 @@ static const struct option s_client_options[] = {
                .value = SSL_OP_NO_TLSv1_3,
        },
        {
+                .name = "noservername",
+                .type = OPTION_FLAG,
+                .opt.value = &s_client_config.no_servername,
+        },
+        {
                .name = "pass",
                .argname = "arg",
                .desc = "Private key file pass phrase source",
@@ -895,6 +907,7 @@ s_client_main(int argc, char **argv)
        int cbuf_len, cbuf_off;
        int sbuf_len, sbuf_off;
        int full_log = 1;
+        const char *servername;
        char *pass = NULL;
        X509 *cert = NULL;
        EVP_PKEY *key = NULL;
@@ -1066,12 +1079,6 @@ s_client_main(int argc, char **argv)
        if (!SSL_CTX_set_default_verify_paths(ctx))
                ERR_print_errors(bio_err);
-        if (s_client_config.servername != NULL) {
-                tlsextcbp.biodebug = bio_err;
-                SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
-                SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
-        }
        con = SSL_new(ctx);
        if (s_client_config.sess_in) {
                SSL_SESSION *sess;
@@ -1093,15 +1100,32 @@ s_client_main(int argc, char **argv)
                SSL_set_session(con, sess);
                SSL_SESSION_free(sess);
        }
-        if (s_client_config.servername != NULL) {
-                if (!SSL_set_tlsext_host_name(con, s_client_config.servername)) {
+        /* Attempt to opportunistically use the host name for SNI. */
+        servername = s_client_config.servername;
+        if (servername == NULL)
+                servername = s_client_config.host;
+        if (!s_client_config.no_servername && servername != NULL &&
+            !SSL_set_tlsext_host_name(con, servername)) {
+                long ssl_err = ERR_peek_error();
+                if (s_client_config.servername != NULL ||
+                    ERR_GET_LIB(ssl_err) != ERR_LIB_SSL ||
+                    ERR_GET_REASON(ssl_err) != SSL_R_SSL3_EXT_INVALID_SERVERNAME) {
                        BIO_printf(bio_err,
                            "Unable to set TLS servername extension.\n");
                        ERR_print_errors(bio_err);
                        goto end;
                }
+                servername = NULL;
+                ERR_clear_error();
+        }
+        if (!s_client_config.no_servername && servername != NULL) {
+                tlsextcbp.biodebug = bio_err;
+                SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+                SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
        }
-/*      SSL_set_cipher_list(con,"RC4-MD5"); */
 re_start:

diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c index 1e932226b2..da6ef088b8 100644 --- a/src/usr.bin/openssl/s_client.c +++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s_client.c,v 1.56 2021/10/25 11:47:39 jca Exp $ */	1	/* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -219,6 +219,7 @@ static struct {
219	int msg;	219	int msg;
220	int nbio;	220	int nbio;
221	int nbio_test;	221	int nbio_test;
		222	int no_servername;
222	char *npn_in;	223	char *npn_in;
223	unsigned int off;	224	unsigned int off;
224	char *passarg;	225	char *passarg;
@@ -634,6 +635,12 @@ static const struct option s_client_options[] = {
634	.value = SSL_OP_LEGACY_SERVER_CONNECT,	635	.value = SSL_OP_LEGACY_SERVER_CONNECT,
635	},	636	},
636	{	637	{
		638	.name = "no_servername",
		639	.desc = "Do not send a Server Name Indication (SNI) extension",
		640	.type = OPTION_FLAG,
		641	.opt.value = &s_client_config.no_servername,
		642	},
		643	{
637	.name = "no_ssl2",	644	.name = "no_ssl2",
638	.type = OPTION_VALUE_OR,	645	.type = OPTION_VALUE_OR,
639	.opt.value = &s_client_config.off,	646	.opt.value = &s_client_config.off,
@@ -681,6 +688,11 @@ static const struct option s_client_options[] = {
681	.value = SSL_OP_NO_TLSv1_3,	688	.value = SSL_OP_NO_TLSv1_3,
682	},	689	},
683	{	690	{
		691	.name = "noservername",
		692	.type = OPTION_FLAG,
		693	.opt.value = &s_client_config.no_servername,
		694	},
		695	{
684	.name = "pass",	696	.name = "pass",
685	.argname = "arg",	697	.argname = "arg",
686	.desc = "Private key file pass phrase source",	698	.desc = "Private key file pass phrase source",
@@ -895,6 +907,7 @@ s_client_main(int argc, char **argv)
895	int cbuf_len, cbuf_off;	907	int cbuf_len, cbuf_off;
896	int sbuf_len, sbuf_off;	908	int sbuf_len, sbuf_off;
897	int full_log = 1;	909	int full_log = 1;
		910	const char *servername;
898	char *pass = NULL;	911	char *pass = NULL;
899	X509 *cert = NULL;	912	X509 *cert = NULL;
900	EVP_PKEY *key = NULL;	913	EVP_PKEY *key = NULL;
@@ -1066,12 +1079,6 @@ s_client_main(int argc, char **argv)
1066	if (!SSL_CTX_set_default_verify_paths(ctx))	1079	if (!SSL_CTX_set_default_verify_paths(ctx))
1067	ERR_print_errors(bio_err);	1080	ERR_print_errors(bio_err);
1068		1081
1069	if (s_client_config.servername != NULL) {
1070	tlsextcbp.biodebug = bio_err;
1071	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1072	SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1073	}
1074
1075	con = SSL_new(ctx);	1082	con = SSL_new(ctx);
1076	if (s_client_config.sess_in) {	1083	if (s_client_config.sess_in) {
1077	SSL_SESSION *sess;	1084	SSL_SESSION *sess;
@@ -1093,15 +1100,32 @@ s_client_main(int argc, char **argv)
1093	SSL_set_session(con, sess);	1100	SSL_set_session(con, sess);
1094	SSL_SESSION_free(sess);	1101	SSL_SESSION_free(sess);
1095	}	1102	}
1096	if (s_client_config.servername != NULL) {	1103
1097	if (!SSL_set_tlsext_host_name(con, s_client_config.servername)) {	1104	/* Attempt to opportunistically use the host name for SNI. */
		1105	servername = s_client_config.servername;
		1106	if (servername == NULL)
		1107	servername = s_client_config.host;
		1108
		1109	if (!s_client_config.no_servername && servername != NULL &&
		1110	!SSL_set_tlsext_host_name(con, servername)) {
		1111	long ssl_err = ERR_peek_error();
		1112
		1113	if (s_client_config.servername != NULL \|\|
		1114	ERR_GET_LIB(ssl_err) != ERR_LIB_SSL \|\|
		1115	ERR_GET_REASON(ssl_err) != SSL_R_SSL3_EXT_INVALID_SERVERNAME) {
1098	BIO_printf(bio_err,	1116	BIO_printf(bio_err,
1099	"Unable to set TLS servername extension.\n");	1117	"Unable to set TLS servername extension.\n");
1100	ERR_print_errors(bio_err);	1118	ERR_print_errors(bio_err);
1101	goto end;	1119	goto end;
1102	}	1120	}
		1121	servername = NULL;
		1122	ERR_clear_error();
		1123	}
		1124	if (!s_client_config.no_servername && servername != NULL) {
		1125	tlsextcbp.biodebug = bio_err;
		1126	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
		1127	SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1103	}	1128	}
1104	/* SSL_set_cipher_list(con,"RC4-MD5"); */
1105		1129
1106	re_start:	1130	re_start:
1107		1131