feature: TLS SNI

Negotiate with a server for a TSL/SSL certificate

diff --git a/README.SSL b/README.SSL
index 75cac80315698efaaaaff082a339f9cd59c20334..90290e08ca6b9417156d1921366806736068b40b 100644 (file)
--- a/README.SSL
+++ b/README.SSL
@@ -5,7 +5,7 @@ Compilation
 -----------
 If you want to have SSL support in mutt, you need to install OpenSSL
 (http://www.openssl.org) libraries and headers before compiling.
-OpenSSL versions 0.9.3 through 0.9.6a have been tested.
+OpenSSL versions 0.9.3 through 1.0.1c have been tested.
 
 For SSL support to be enabled, you need to run the ``configure''
 script with ``--enable-imap --with-ssl[=PFX]'' parameters.  If the
@@ -65,6 +65,12 @@ certificate, the connection will be established. Accepted certificates
 can also be saved so that further connections to the server are
 automatically accepted. 
 
+If OpenSSL was built with support for ServerNameIndication (SNI) and TLS
+is used in the negotiation, mutt will send its idea of the server-name
+as part of the TLS negotiation.  This allows the server to select an
+appropriate certificate, in the event that one server handles multiple
+hostnames with different certificates.
+
 If your organization has several equivalent IMAP-servers, each of them
 should have a unique certificate which is signed with a common
 certificate.  If you want to use all of those servers, you don't need to
@@ -102,9 +108,15 @@ you know which options do not work, you can set the variables for non-working
 protocols to know.  The variables for the protocols are ssl_use_tlsv1, 
 ssl_use_sslv2, and ssl_use_sslv3.
 
+To verify TLS SNI support by a server, you can use:
+    openssl s_client -host <imap server> -port <port> \
+        -tls1 -servername <imap server>
+
+
 -- 
 Tommi Komulainen
 Tommi.Komulainen@iki.fi
 
-Updated by Jeremy Katz
-katzj@linuxpower.org
+Updated by:
+  Jeremy Katz <katzj@linuxpower.org>
+  Phil Pennock <mutt-dev@spodhuis.org>

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 0dd0b258527f6ddd43ce72576759a3b632f7d918..e1721a97f976b71a1c3bbf66f2d429dd6332c5e7 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -401,6 +401,18 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata)
   SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+  /* TLS Virtual-hosting requires that the server present the correct
+   * certificate; to do this, the ServerNameIndication TLS extension is used.
+   * If TLS is negotiated, and OpenSSL is recent enough that it might have
+   * support, and support was enabled when OpenSSL was built, mutt supports
+   * sending the hostname we think we're connecting to, so a server can send
+   * back the correct certificate.
+   * This has been tested over SMTP against Exim 4.80.
+   * Not yet found an IMAP server which supports this. */
+  SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host);
+#endif
+
   if ((err = SSL_connect (ssldata->ssl)) != 1)
   {
     switch (SSL_get_error (ssldata->ssl, err))