feature: tls-sni

author Phil Pennock <mutt-dev@spodhuis.demon.nl>

Sat, 30 Jan 2016 16:22:13 +0000 (16:22 +0000)

committer Richard Russon <rich@flatcap.org>

Thu, 18 Aug 2016 15:15:38 +0000 (16:15 +0100)
author Phil Pennock <mutt-dev@spodhuis.demon.nl>
Sat, 30 Jan 2016 16:22:13 +0000 (16:22 +0000)
committer Richard Russon <rich@flatcap.org>
Thu, 18 Aug 2016 15:15:38 +0000 (16:15 +0100)
diff --git a/mutt_ssl.c b/mutt_ssl.c

index bf67972189d475848fc0473e7c70ccb70a5a6397..295953aca211740de2aa702c745e44f691526f3b 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -412,6 +412,18 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata)
    SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
  #endif
  
+#if (OPENSSL_VERSION_NUMBER >= 0x0090806fL) && !defined(OPENSSL_NO_TLSEXT)
+  /* TLS Virtual-hosting requires that the server present the correct
+   * certificate; to do this, the ServerNameIndication TLS extension is used.
+   * If TLS is negotiated, and OpenSSL is recent enough that it might have
+   * support, and support was enabled when OpenSSL was built, mutt supports
+   * sending the hostname we think we're connecting to, so a server can send
+   * back the correct certificate.
+   * This has been tested over SMTP against Exim 4.80.
+   * Not yet found an IMAP server which supports this. */
+  SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host);
+#endif
+
    if ((err = SSL_connect (ssldata->ssl)) != 1)
    {
      switch (SSL_get_error (ssldata->ssl, err))
author	Phil Pennock <mutt-dev@spodhuis.demon.nl>
	Sat, 30 Jan 2016 16:22:13 +0000 (16:22 +0000)
committer	Richard Russon <rich@flatcap.org>
	Thu, 18 Aug 2016 15:15:38 +0000 (16:15 +0100)