From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Subject: [RFH/PATCH] imap-send: support SNI (RFC4366)
Date: Wed, 20 Feb 2013 16:18:04 -0800 [thread overview]
Message-ID: <7vbobey0xv.fsf@alter.siamese.dyndns.org> (raw)
To talk to a site that serves multiple names on a single IP address,
the client needs to ask for the specific hostname it wants to talk
to. Otherwise, the default certificate returned from the IP address
may not match that of the host we wanted to talk to.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
* I need help from people on this patch in two areas:
(1) I only tested this patch by connecting to https://googlemail.com/
with
$ git -c imap.host=imaps://googlemail.com -c imap.port=443 imap-send <this-patch.txt
as it is the only site I knew clients needs to talk SNI to get
the right certificate to verify; of course the port does not
talk imap, and the only thing that is tested by that approach is
we successfully establish an SSL/TLS connection. Without the
patch, we fail to verify the certificate (we get a cert that is
for another hostname that is hosted at the same IP address), and
with the patch, we successfully get the right one.
I would appreciate it if somebody knows an imap server that
needs SNI and runs an end-to-end test against that server.
(2) I do not know if everybody has SSL_set_tslext_host_name() macro
defined, so this patch may be breaking build for people with
different versions of OpenSSL.
imap-send.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/imap-send.c b/imap-send.c
index 171c887..d9abd8b 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -370,6 +370,15 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve
return -1;
}
+ /*
+ * SNI (RFC4366)
+ * OpenSSL does not document this function, but the implementation
+ * returns 1 on success, 0 on failure after calling SSLerr().
+ */
+ ret = SSL_set_tlsext_host_name(sock->ssl, server.host);
+ if (ret != 1)
+ warning("SSL_set_tslext_host_name(%s) failed.\n", server.host);
+
ret = SSL_connect(sock->ssl);
if (ret <= 0) {
socket_perror("SSL_connect", sock, ret);
--
1.8.2.rc0.106.ga6e4a61
next reply other threads:[~2013-02-21 0:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-21 0:18 Junio C Hamano [this message]
2013-02-21 5:35 ` [RFH/PATCH] imap-send: support SNI (RFC4366) Junio C Hamano
2013-02-21 5:48 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vbobey0xv.fsf@alter.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).