- Curt Bogmine reported a problem with SNI enabled on a particular server. We

  should introduce an option to disable SNI, but as we're in feature freeze
  now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
  shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
  Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
  option for SNI, or are we simply not using it?

diff --git a/CHANGES b/CHANGES
index e03f92c88f4216bf57b78a3b63a392c1fcafda8c..a69c714ba3f306511fb0b50562d9cfa0ccab7778 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,14 @@
 
                                   Changelog
 
+Daniel Stenberg (2 Aug 2009)
+- Curt Bogmine reported a problem with SNI enabled on a particular server. We
+  should introduce an option to disable SNI, but as we're in feature freeze
+  now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
+  shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
+  Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
+  option for SNI, or are we simply not using it?
+
 Daniel Stenberg (1 Aug 2009)
 - Scott Cantor posted the bug report #2829955
   (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b019bbc74cb18b783caa6990ac23072daec7c53c..8f18e2bb1cfca20221430819cb746253a0e1d4ba 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -41,6 +41,7 @@ This release includes the following bugfixes:
  o with noproxy set you could still get a proxy if a proxy env was set
  o rand seeding on libcurl on windows built with OpenSSL was not thread-safe
  o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
+ o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
 
 This release includes the following known bugs:
 
@@ -54,6 +55,6 @@ advice from friends like these:
  Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,
  Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,
  Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,
- Tanguy Fautre, Scott Cantor
+ Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester
 
         Thanks! (and sorry if I forgot to mention someone)

diff --git a/TODO-RELEASE b/TODO-RELEASE
index ad1e24f541cd5ac138730a70b6f526cb1187ed28..4f458bfcc8e78c7df675495203b65ec5e2401473 100644 (file)
--- a/TODO-RELEASE
+++ b/TODO-RELEASE
@@ -3,12 +3,8 @@ To be addressed in 7.19.6 (planned release: August 2009)
 
 248 - "Pausing pipeline problems."
 
-249 - Wildcard cert name checking and null termination
-
 251 - TFTP block size
 
-252 - disable SNI for SSLv2 and SSLv3
-
 To be addressed in 7.19.7 (planned release: October 2009)
 =========================
 

diff --git a/lib/gtls.c b/lib/gtls.c
index d5c8f1a793f25313b187d501c1f000e24465105a..81748306e1a827f44d90e0cd47c10e24af57ddb8 100644 (file)
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -260,6 +260,7 @@ Curl_gtls_connect(struct connectdata *conn,
   const char *ptr;
   void *ssl_sessionid;
   size_t ssl_idsize;
+  bool sni = TRUE; /* default is SNI enabled */
 #ifdef ENABLE_IPV6
   struct in6_addr addr;
 #else
@@ -279,6 +280,8 @@ Curl_gtls_connect(struct connectdata *conn,
     failf(data, "GnuTLS does not support SSLv2");
     return CURLE_SSL_CONNECT_ERROR;
   }
+  else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
+    sni = FALSE; /* SSLv3 has no SNI */
 
   /* allocate a cred struct */
   rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
@@ -335,6 +338,7 @@ Curl_gtls_connect(struct connectdata *conn,
 #ifdef ENABLE_IPV6
       (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
+      sni &&
       (gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
                               strlen(conn->host.name)) < 0))
     infof(data, "WARNING: failed to configure server name indication (SNI) "

diff --git a/lib/ssluse.c b/lib/ssluse.c
index 324b05d475ae42fb227aa0a805f758735230e395..fa81d08f5b097ec259a37ec1f9177a15849203ad 100644 (file)
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1351,6 +1351,7 @@ ossl_connect_step1(struct connectdata *conn,
   X509_LOOKUP *lookup=NULL;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  bool sni = TRUE; /* default is SNI enabled */
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 #ifdef ENABLE_IPV6
   struct in6_addr addr;
@@ -1376,9 +1377,11 @@ ossl_connect_step1(struct connectdata *conn,
     break;
   case CURL_SSLVERSION_SSLv2:
     req_method = SSLv2_client_method();
+    sni = FALSE;
     break;
   case CURL_SSLVERSION_SSLv3:
     req_method = SSLv3_client_method();
+    sni = FALSE;
     break;
   }
 
@@ -1565,6 +1568,7 @@ ossl_connect_step1(struct connectdata *conn,
 #ifdef ENABLE_IPV6
       (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
 #endif
+      sni &&
       !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
     infof(data, "WARNING: failed to configure server name indication (SNI) "
           "TLS extension\n");