From: Kevin McCarthy <kevin@8t8.us>
Date: Thu, 9 Mar 2017 21:00:10 +0000 (-0800)
Subject: Add SNI support for OpenSSL. (see #3923)
X-Git-Tag: neomutt-20170414~26^2~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d83401fa8a9b18315adcd6bfa99ff0aa25866e98;p=neomutt

Add SNI support for OpenSSL. (see #3923)

The original patch for this is by Phil Pennock at:
https://people.spodhuis.org/phil.pennock/software/mutt-patches/

I have removed the OpenSSL version check and defined(OPENSSL_NO_TLSEXT)
check because:
  * SSL_set_tlsext_host_name() was added in 0.9.8f [11 Oct 2007]
  * OpenSSL 1.1 no longer has the OPENSSL_NO_TLSEXT compilation option
  * https://rt.openssl.org/Ticket/Display.html?id=2788&user=guest&pass=guest
    shows that the no-tlsext compilation option has been broken for some time.
  * Going forward, I'd like to minimize and start removing cruft required
    to support ancient/insecure versions of libraries.
---

diff --git a/mutt_ssl.c b/mutt_ssl.c
index b72e77114..9ab6efc47 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -558,19 +558,17 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata)
 
   SSL_set_verify (ssldata->ssl, SSL_VERIFY_PEER, ssl_verify_callback);
   SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
-  ERR_clear_error ();
 
-#if (OPENSSL_VERSION_NUMBER >= 0x0090806fL) && !defined(OPENSSL_NO_TLSEXT)
-  /* TLS Virtual-hosting requires that the server present the correct
-   * certificate; to do this, the ServerNameIndication TLS extension is used.
-   * If TLS is negotiated, and OpenSSL is recent enough that it might have
-   * support, and support was enabled when OpenSSL was built, mutt supports
-   * sending the hostname we think we're connecting to, so a server can send
-   * back the correct certificate.
-   * This has been tested over SMTP against Exim 4.80.
-   * Not yet found an IMAP server which supports this. */
-  SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host);
-#endif
+  if (!SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host))
+  {
+    /* L10N: This is a warning when trying to set the host name for
+     * TLS Server Name Indication (SNI).  This allows the server to present
+     * the correct certificate if it supports multiple hosts. */
+    mutt_error(_("Warning: unable to set TLS SNI host name"));
+    mutt_sleep (1);
+  }
+
+  ERR_clear_error ();
 
   if ((err = SSL_connect (ssldata->ssl)) != 1)
   {