summaryrefslogtreecommitdiff
path: root/usr.bin/openssl
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2021-12-26 14:46:07 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2021-12-26 14:46:07 +0000
commitb08c10682d8db161cc4842692c979cb03c7abd3e (patch)
treefcea6bcffe7b0c4d4c8dd7f1b05a3733ca30fc6a /usr.bin/openssl
parentf97045ed6d4dfef2fa5c8a0f1404bcfb2ddb9741 (diff)
Attempt to opportunistically use the host name for SNI in s_client.
ok beck@ inoguchi@ tb@
Diffstat (limited to 'usr.bin/openssl')
-rw-r--r--usr.bin/openssl/s_client.c44
1 files changed, 34 insertions, 10 deletions
diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c
index 1e932226b23..da6ef088b8c 100644
--- a/usr.bin/openssl/s_client.c
+++ b/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.56 2021/10/25 11:47:39 jca Exp $ */
+/* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -219,6 +219,7 @@ static struct {
int msg;
int nbio;
int nbio_test;
+ int no_servername;
char *npn_in;
unsigned int off;
char *passarg;
@@ -634,6 +635,12 @@ static const struct option s_client_options[] = {
.value = SSL_OP_LEGACY_SERVER_CONNECT,
},
{
+ .name = "no_servername",
+ .desc = "Do not send a Server Name Indication (SNI) extension",
+ .type = OPTION_FLAG,
+ .opt.value = &s_client_config.no_servername,
+ },
+ {
.name = "no_ssl2",
.type = OPTION_VALUE_OR,
.opt.value = &s_client_config.off,
@@ -681,6 +688,11 @@ static const struct option s_client_options[] = {
.value = SSL_OP_NO_TLSv1_3,
},
{
+ .name = "noservername",
+ .type = OPTION_FLAG,
+ .opt.value = &s_client_config.no_servername,
+ },
+ {
.name = "pass",
.argname = "arg",
.desc = "Private key file pass phrase source",
@@ -895,6 +907,7 @@ s_client_main(int argc, char **argv)
int cbuf_len, cbuf_off;
int sbuf_len, sbuf_off;
int full_log = 1;
+ const char *servername;
char *pass = NULL;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
@@ -1066,12 +1079,6 @@ s_client_main(int argc, char **argv)
if (!SSL_CTX_set_default_verify_paths(ctx))
ERR_print_errors(bio_err);
- if (s_client_config.servername != NULL) {
- tlsextcbp.biodebug = bio_err;
- SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
- SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
- }
-
con = SSL_new(ctx);
if (s_client_config.sess_in) {
SSL_SESSION *sess;
@@ -1093,15 +1100,32 @@ s_client_main(int argc, char **argv)
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
- if (s_client_config.servername != NULL) {
- if (!SSL_set_tlsext_host_name(con, s_client_config.servername)) {
+
+ /* Attempt to opportunistically use the host name for SNI. */
+ servername = s_client_config.servername;
+ if (servername == NULL)
+ servername = s_client_config.host;
+
+ if (!s_client_config.no_servername && servername != NULL &&
+ !SSL_set_tlsext_host_name(con, servername)) {
+ long ssl_err = ERR_peek_error();
+
+ if (s_client_config.servername != NULL ||
+ ERR_GET_LIB(ssl_err) != ERR_LIB_SSL ||
+ ERR_GET_REASON(ssl_err) != SSL_R_SSL3_EXT_INVALID_SERVERNAME) {
BIO_printf(bio_err,
"Unable to set TLS servername extension.\n");
ERR_print_errors(bio_err);
goto end;
}
+ servername = NULL;
+ ERR_clear_error();
+ }
+ if (!s_client_config.no_servername && servername != NULL) {
+ tlsextcbp.biodebug = bio_err;
+ SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
-/* SSL_set_cipher_list(con,"RC4-MD5"); */
re_start: