From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: emacs-devel@gnu.org
Subject: [PATCH] gnutls: Add SNI support
Date: Mon, 24 Nov 2014 13:17:22 +0100 [thread overview]
Message-ID: <87wq6k3i99.fsf@toke.dk> (raw)
Currently, Emacs does not support Server Name Identification. This means
that servers that host multiple SSL sites on the same IP will send the
wrong certificate to Emacs. In addition, some servers refuse connections
entirely if the SNI extension is not included in the client handshake.
This patch adds what I think is the required call into GnuTLS to add the
hostname information on the handshake. Unfortunately I have been unable
to actually test the patch, since I can't get the git trunk to compile.
However, I thought I'd post it anyway to maybe get someone else to have
a look.
Oh, and there's a bit of a hack in trying to detect whether the hostname
is an IPv4 or IPv6 literal (in which case the hostname shouldn't be
included in the handshake). Not sure if omitting that check entirely
will work, or if there's a better way to detect this case.
-Toke
diff --git a/src/gnutls.c b/src/gnutls.c
index 22e3aec..e8a6966 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -187,6 +187,9 @@ DEF_GNUTLS_FN (int, gnutls_x509_crt_get_key_id,
DEF_GNUTLS_FN (const char*, gnutls_sec_param_get_name, (gnutls_sec_param_t));
DEF_GNUTLS_FN (const char*, gnutls_sign_algorithm_get_name,
(gnutls_sign_algorithm_t));
+DEF_GNUTLS_FN (int, gnutls_server_name_set, (gnutls_session_t,
+ gnutls_server_name_type_t,
+ const void *, size_t));
static bool
init_gnutls_functions (void)
@@ -263,6 +266,7 @@ init_gnutls_functions (void)
LOAD_GNUTLS_FN (library, gnutls_x509_crt_get_key_id);
LOAD_GNUTLS_FN (library, gnutls_sec_param_get_name);
LOAD_GNUTLS_FN (library, gnutls_sign_algorithm_get_name);
+ LOAD_GNUTLS_FN (library, gnutls_server_name_set);
max_log_level = global_gnutls_log_level;
@@ -335,6 +339,7 @@ init_gnutls_functions (void)
#define fn_gnutls_x509_crt_get_key_id gnutls_x509_crt_get_key_id
#define fn_gnutls_sec_param_get_name gnutls_sec_param_get_name
#define fn_gnutls_sign_algorithm_get_name gnutls_sign_algorithm_get_name
+#define fn_gnutls_server_name_set gnutls_server_name_set
#endif /* !WINDOWSNT */
@@ -1137,6 +1142,7 @@ one trustfile (usually a CA bundle). */)
char const *priority_string_ptr = "NORMAL"; /* default priority string. */
unsigned int peer_verification;
char *c_hostname;
+ char *c; bool send_hostname = 0;
/* Placeholders for the property list elements. */
Lisp_Object priority_string;
@@ -1375,6 +1381,22 @@ one trustfile (usually a CA bundle). */)
if (ret < GNUTLS_E_SUCCESS)
return gnutls_make_error (ret);
+ /* Quick and dirty test of the hostname; shouldn't be an IP. If it
+ contains letters, we assume it's a hostname, unless it contains a
+ : in which case we assume it's a literal IPv6 address. */
+ for(c = c_hostname; c; c++) {
+ if(c >= 'a') send_hostname = 1;
+ if(c == ':') {send_hostname = 0; break;}
+ }
+
+ if(send_hostname) {
+ GNUTLS_LOG (1, max_log_level, "setting TLS hostname");
+ ret = fn_gnutls_server_name_set(state, GNUTLS_NAME_DNS, c_hostname, strlen(c_hostname));
+ if (ret < GNUTLS_E_SUCCESS)
+ return gnutls_make_error (ret);
+ }
+
+
GNUTLS_INITSTAGE (proc) = GNUTLS_STAGE_CRED_SET;
ret = emacs_gnutls_handshake (XPROCESS (proc));
if (ret < GNUTLS_E_SUCCESS)
next reply other threads:[~2014-11-24 12:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-24 12:17 Toke Høiland-Jørgensen [this message]
2014-11-24 12:28 ` [PATCH] gnutls: Add SNI support Thien-Thi Nguyen
2014-11-24 13:08 ` Toke Høiland-Jørgensen
2014-11-24 14:50 ` Lars Magne Ingebrigtsen
2014-11-24 20:56 ` Florian Weimer
2014-11-24 12:33 ` Jérémie Courrèges-Anglas
2014-11-26 21:52 ` Lars Magne Ingebrigtsen
2014-11-26 22:12 ` Lars Magne Ingebrigtsen
2014-11-27 9:01 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wq6k3i99.fsf@toke.dk \
--to=toke@toke.dk \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).