From: Kevin McCarthy <kevin@8t8.us>
Date: Thu, 9 Mar 2017 21:00:10 +0000 (-0800)
Subject: Add SNI support for OpenSSL. (see #3923)
X-Git-Tag: neomutt-20170414^2~31
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=53b1ed17301184c5f8e626f6ccd46c8b3bb53fa1;p=neomutt

Add SNI support for OpenSSL. (see #3923)

The original patch for this is by Phil Pennock at:
https://people.spodhuis.org/phil.pennock/software/mutt-patches/

I have removed the OpenSSL version check and defined(OPENSSL_NO_TLSEXT)
check because:
  * SSL_set_tlsext_host_name() was added in 0.9.8f [11 Oct 2007]
  * OpenSSL 1.1 no longer has the OPENSSL_NO_TLSEXT compilation option
  * https://rt.openssl.org/Ticket/Display.html?id=2788&user=guest&pass=guest
    shows that the no-tlsext compilation option has been broken for some time.
  * Going forward, I'd like to minimize and start removing cruft required
    to support ancient/insecure versions of libraries.
---

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 30801c3c5..98cb82c0b 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -551,6 +551,16 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata)
 
   SSL_set_verify (ssldata->ssl, SSL_VERIFY_PEER, ssl_verify_callback);
   SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
+
+  if (!SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host))
+  {
+    /* L10N: This is a warning when trying to set the host name for
+     * TLS Server Name Indication (SNI).  This allows the server to present
+     * the correct certificate if it supports multiple hosts. */
+    mutt_error _("Warning: unable to set TLS SNI host name");
+    mutt_sleep (1);
+  }
+
   ERR_clear_error ();
 
   if ((err = SSL_connect (ssldata->ssl)) != 1)