Skip to content

Commit

Permalink
tls/sni: skip SNI check if we are client or server_name not set
Browse files Browse the repository at this point in the history
The servername_callback is also called when the server requests a
certificate in the ServerHello. However, the server will not usually
send us the server_name extension. So skip the SNI check if we are
client. Also continue if the server_name extension is not present.
  • Loading branch information
maximilianfridrich committed Jul 30, 2024
1 parent 80baf46 commit 7d6d7b5
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions src/tls/openssl/sni.c
Original file line number Diff line number Diff line change
Expand Up @@ -163,13 +163,15 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg)
{
struct tls *tls = arg;
struct tls_cert *uc = NULL;
int ssl_state = SSL_get_state(ssl);
const char *sni;

if (ssl_state == TLS_ST_CR_SRVR_HELLO)
return SSL_TLSEXT_ERR_OK;

sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (!str_isset(sni)) {
*al = SSL_AD_UNRECOGNIZED_NAME;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (!str_isset(sni))
return SSL_TLSEXT_ERR_OK;

/* find and apply matching certificate */
uc = tls_cert_for_sni(tls, sni);
Expand Down

0 comments on commit 7d6d7b5

Please sign in to comment.