From: Phil Pennock Date: Sat, 30 Jan 2016 16:22:13 +0000 (+0000) Subject: feature: TLS SNI X-Git-Tag: neomutt-20160404~15^2~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e4817c72f7dbc5d8edaacf92298835bff96c0f93;p=neomutt feature: TLS SNI Negotiate with a server for a TSL/SSL certificate --- diff --git a/README.SSL b/README.SSL index 75cac8031..90290e08c 100644 --- a/README.SSL +++ b/README.SSL @@ -5,7 +5,7 @@ Compilation ----------- If you want to have SSL support in mutt, you need to install OpenSSL (http://www.openssl.org) libraries and headers before compiling. -OpenSSL versions 0.9.3 through 0.9.6a have been tested. +OpenSSL versions 0.9.3 through 1.0.1c have been tested. For SSL support to be enabled, you need to run the ``configure'' script with ``--enable-imap --with-ssl[=PFX]'' parameters. If the @@ -65,6 +65,12 @@ certificate, the connection will be established. Accepted certificates can also be saved so that further connections to the server are automatically accepted. +If OpenSSL was built with support for ServerNameIndication (SNI) and TLS +is used in the negotiation, mutt will send its idea of the server-name +as part of the TLS negotiation. This allows the server to select an +appropriate certificate, in the event that one server handles multiple +hostnames with different certificates. + If your organization has several equivalent IMAP-servers, each of them should have a unique certificate which is signed with a common certificate. If you want to use all of those servers, you don't need to @@ -102,9 +108,15 @@ you know which options do not work, you can set the variables for non-working protocols to know. The variables for the protocols are ssl_use_tlsv1, ssl_use_sslv2, and ssl_use_sslv3. +To verify TLS SNI support by a server, you can use: + openssl s_client -host -port \ + -tls1 -servername + + -- Tommi Komulainen Tommi.Komulainen@iki.fi -Updated by Jeremy Katz -katzj@linuxpower.org +Updated by: + Jeremy Katz + Phil Pennock diff --git a/mutt_ssl.c b/mutt_ssl.c index a6cdd10f0..f3d0437b7 100644 --- a/mutt_ssl.c +++ b/mutt_ssl.c @@ -401,6 +401,18 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata) SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY); #endif +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) + /* TLS Virtual-hosting requires that the server present the correct + * certificate; to do this, the ServerNameIndication TLS extension is used. + * If TLS is negotiated, and OpenSSL is recent enough that it might have + * support, and support was enabled when OpenSSL was built, mutt supports + * sending the hostname we think we're connecting to, so a server can send + * back the correct certificate. + * This has been tested over SMTP against Exim 4.80. + * Not yet found an IMAP server which supports this. */ + SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host); +#endif + if ((err = SSL_connect (ssldata->ssl)) != 1) { switch (SSL_get_error (ssldata->ssl, err))