tls/sni: skip SNI check if we are client

The servername_callback is also called when the server requests a certificate in the ServerHello. However, the server will not usually send us the server_name extension. So skip the SNI check if we are client.
baresip · Jul 30, 2024 · d8b8fae · d8b8fae
1 parent 80baf46
commit d8b8fae
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c
@@ -163,8 +163,12 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg)
 {
 	struct tls *tls	= arg;
 	struct tls_cert *uc = NULL;
+	int ssl_state = SSL_get_state(ssl);
 	const char *sni;
 
+	if (ssl_state == TLS_ST_CR_SRVR_HELLO)
+		return SSL_TLSEXT_ERR_OK;
+
 	sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
 	if (!str_isset(sni)) {
 		*al = SSL_AD_UNRECOGNIZED_NAME;