Add SNI support for OpenSSL. (see #3923)

The original patch for this is by Phil Pennock at:
https://people.spodhuis.org/phil.pennock/software/mutt-patches/

I have removed the OpenSSL version check and defined(OPENSSL_NO_TLSEXT)
check because:
  * SSL_set_tlsext_host_name() was added in 0.9.8f [11 Oct 2007]
  * OpenSSL 1.1 no longer has the OPENSSL_NO_TLSEXT compilation option
  * https://rt.openssl.org/Ticket/Display.html?id=2788&user=guest&pass=guest
    shows that the no-tlsext compilation option has been broken for some time.
  * Going forward, I'd like to minimize and start removing cruft required
    to support ancient/insecure versions of libraries.

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 30801c3c5f96bb7744535f548aecc4314d07d4c3..98cb82c0b3d9965072c45056167200022c33b10b 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -551,6 +551,16 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata)
 
   SSL_set_verify (ssldata->ssl, SSL_VERIFY_PEER, ssl_verify_callback);
   SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
+
+  if (!SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host))
+  {
+    /* L10N: This is a warning when trying to set the host name for
+     * TLS Server Name Indication (SNI).  This allows the server to present
+     * the correct certificate if it supports multiple hosts. */
+    mutt_error _("Warning: unable to set TLS SNI host name");
+    mutt_sleep (1);
+  }
+
   ERR_clear_error ();
 
   if ((err = SSL_connect (ssldata->ssl)) != 1)