From 7d6d7b52950deea1ea03d49e89e16f0eb4de95a9 Mon Sep 17 00:00:00 2001 From: Maximilian Fridrich Date: Tue, 30 Jul 2024 09:31:23 +0200 Subject: [PATCH] tls/sni: skip SNI check if we are client or server_name not set The servername_callback is also called when the server requests a certificate in the ServerHello. However, the server will not usually send us the server_name extension. So skip the SNI check if we are client. Also continue if the server_name extension is not present. --- src/tls/openssl/sni.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c index 8298e40fd..86b748085 100644 --- a/src/tls/openssl/sni.c +++ b/src/tls/openssl/sni.c @@ -163,13 +163,15 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg) { struct tls *tls = arg; struct tls_cert *uc = NULL; + int ssl_state = SSL_get_state(ssl); const char *sni; + if (ssl_state == TLS_ST_CR_SRVR_HELLO) + return SSL_TLSEXT_ERR_OK; + sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - if (!str_isset(sni)) { - *al = SSL_AD_UNRECOGNIZED_NAME; - return SSL_TLSEXT_ERR_ALERT_FATAL; - } + if (!str_isset(sni)) + return SSL_TLSEXT_ERR_OK; /* find and apply matching certificate */ uc = tls_cert_for_sni(tls, sni);