Date: Sat, 8 Jun 2013 22:56:53 +0200 From: Sofian Brabez <sbz@FreeBSD.org> To: freebsd-hackers@FreeBSD.org Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@FreeBSD.org> Subject: [patch] TLS Server Name Indication (SNI) support for fetch(1) Message-ID: <20130608205653.GA8765@ogoshi.int.nbs-system.com>
next in thread | raw e-mail | index | archive | help
--VrqPEDrXMn8OVzN4 Content-Type: multipart/mixed; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, fetch(1) currently does not support TLS extension Server Name Indication (RFC 6066) [1] when dealing with SSL. Nowadays lot of clients and servers implement this extension. Using the TLS SNI Test website sni.velox.ch [2], the test fails in r251550: % fetch -o out https://sni.velox.ch/ && grep 'libfetch' out fetch: https://sni.velox.ch/: size of remote file is not known out 5101 B 134 kBps 00m00s <p><strong>Unfortunately, your client </strong>[fetch libfetch/2.0] <strong> After patching lib/libfetch with my changes: % cd /usr/src/lib/libfetch % patch -p0 < <(fetch -o - http://people.freebsd.org/~sbz/fetch_ssl_sni.diff) And after rebuilding lib/libfetch library and usr.bin/fetch program, the test suceeded: % fetch -o out https://sni.velox.ch/ && grep 'libfetch' out fetch: https://sni.velox.ch/: size of remote file is not known out 5063 B 104 kBps 00m00s <p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong> Our OpenSSL version 1.0.1c in base support this extension already. s_client too using -servername argument: % openssl version OpenSSL 1.0.1c-freebsd 10 May 2012 % openssl s_client -h 2>&1| grep servername -servername host - Set TLS extension servername in ClientHello % openssl s_client -connect sni.velox.ch:443 -servername sni.velox.ch -tlsextdebug 2>/dev/null|grep 'extension' TLS server extension "server name" (id=0), len=0 TLS server extension "renegotiation info" (id=65281), len=1 TLS server extension "EC point formats" (id=11), len=4 TLS server extension "session ticket" (id=35), len=0 TLS server extension "heartbeat" (id=15), len=1 You will find the patch here [3] and as inline attachment. Is it OK for your des@ ? Regards [1] http://en.wikipedia.org/wiki/Server_Name_Indication [2] https://sni.velox.ch/ [3] http://people.freebsd.org/~sbz/fetch_ssl_sni.diff -- Sofian Brabez --AqsLC8rIMeq19msA Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="fetch_ssl_sni.diff" Index: common.c =================================================================== --- common.c (revision 251547) +++ common.c (working copy) @@ -322,7 +322,7 @@ * Enable SSL on a connection. */ int -fetch_ssl(conn_t *conn, int verbose) +fetch_ssl(conn_t *conn, int verbose, char *hostname) { #ifdef WITH_SSL int ret, ssl_err; @@ -345,6 +345,14 @@ return (-1); } SSL_set_fd(conn->ssl, conn->sd); + +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) + if (!SSL_set_tlsext_host_name(conn->ssl, hostname)) { + fprintf(stderr, "TLS server name indication extension failed for host %s\n", hostname); + return (-1); + } +#endif + while ((ret = SSL_connect(conn->ssl)) == -1) { ssl_err = SSL_get_error(conn->ssl, ret); if (ssl_err != SSL_ERROR_WANT_READ && Index: common.h =================================================================== --- common.h (revision 251547) +++ common.h (working copy) @@ -87,7 +87,7 @@ conn_t *fetch_connect(const char *, int, int, int); conn_t *fetch_reopen(int); conn_t *fetch_ref(conn_t *); -int fetch_ssl(conn_t *, int); +int fetch_ssl(conn_t *, int, char*); ssize_t fetch_read(conn_t *, char *, size_t); int fetch_getln(conn_t *); ssize_t fetch_write(conn_t *, const char *, size_t); Index: http.c =================================================================== --- http.c (revision 251547) +++ http.c (working copy) @@ -1408,7 +1408,7 @@ http_get_reply(conn); } if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 && - fetch_ssl(conn, verbose) == -1) { + fetch_ssl(conn, verbose, URL->host) == -1) { fetch_close(conn); /* grrr */ errno = EAUTH; --AqsLC8rIMeq19msA-- --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlGzmpUACgkQc2NR9CSH5X4kRQCcDTQFiKXD093kT4opXIqeSDH+ 3UcAoIGE29PC/CN9RpZXdygkPIYylKXM =bIOQ -----END PGP SIGNATURE----- --VrqPEDrXMn8OVzN4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130608205653.GA8765>