diff options
| author | Sebastien Marie <semarie@cvs.openbsd.org> | 2020-06-09 06:35:18 +0000 |
|---|---|---|
| committer | Sebastien Marie <semarie@cvs.openbsd.org> | 2020-06-09 06:35:18 +0000 |
| commit | 249689fea27ddf217fdfe821dbbbb251428b5ce0 (patch) | |
| tree | 078c1be6af3fce1d19e21b19bbcc4a0a8d532ee2 /usr.sbin | |
| parent | 714673e36fe92357a6f6f9de90bf0e8b4c2280cf (diff) | |
set TLS SNI when relaying to host
ok beck@
"looks reasonable" millert@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/smtpd/mta_session.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c index d384692a0e4..f6ae6337b9b 100644 --- a/usr.sbin/smtpd/mta_session.c +++ b/usr.sbin/smtpd/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.136 2020/05/21 15:38:05 millert Exp $ */ +/* $OpenBSD: mta_session.c,v 1.137 2020/06/09 06:35:17 semarie Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -26,6 +26,7 @@ #include <sys/stat.h> #include <sys/uio.h> +#include <arpa/inet.h> #include <ctype.h> #include <err.h> #include <errno.h> @@ -1604,6 +1605,10 @@ mta_cert_init_cb(void *arg, int status, const char *name, const void *cert, struct mta_session *s = arg; void *ssl; char *xname = NULL, *xcert = NULL; + union { + struct in_addr in4; + struct in6_addr in6; + } addrbuf; if (s->flags & MTA_WAIT) mta_tree_pop(&wait_tls_init, s->id); @@ -1623,6 +1628,22 @@ mta_cert_init_cb(void *arg, int status, const char *name, const void *cert, free(xcert); if (ssl == NULL) fatal("mta: ssl_mta_init"); + + /* + * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not + * permitted in "HostName". + */ + if (s->relay->domain->as_host == 1) { + if (inet_pton(AF_INET, s->relay->domain->name, &addrbuf) != 1 && + inet_pton(AF_INET6, s->relay->domain->name, &addrbuf) != 1) { + log_debug("%016"PRIx64" mta tls setting SNI name=%s", + s->id, s->relay->domain->name); + if (SSL_set_tlsext_host_name(ssl, s->relay->domain->name) == 0) + log_warnx("%016"PRIx64" mta tls setting SNI failed", + s->id); + } + } + io_start_tls(s->io, ssl); } |