diff options
author | Daniel Stenberg <daniel@haxx.se> | 2021-01-28 20:16:55 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-01-28 20:16:55 +0100 |
commit | c84035f63312a2c5c7fcbd145b6a571cfe6f3f42 (patch) | |
tree | d758616ef7b7413c60fe97533d6542ec8e050f05 | |
parent | 36ef64841d5ee4071af805a83096c06036c8433f (diff) | |
download | curl-bagder/openssl-lowercase-sni.tar.gz |
openssl: lowercase the hostname before using it for SNIbagder/openssl-lowercase-sni
... because it turns out several servers out there don't actually behave
correctly otherwise.
Reported-by: David Earl
Fixes #6540
-rw-r--r-- | lib/vtls/openssl.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index f99b663aa..de4c33d96 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3189,10 +3189,21 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && #endif - sni && - !SSL_set_tlsext_host_name(backend->handle, hostname)) - infof(data, "WARNING: failed to configure server name indication (SNI) " - "TLS extension\n"); + sni) { + size_t nlen = strlen(hostname); + if((long)nlen >= data->set.buffer_size) + /* this is seriously messed up */ + return CURLE_SSL_CONNECT_ERROR; + + /* RFC 6066 section 3 says the SNI field is case insensitive, but browsers + send the data lowercase and subsequently there are now numerous servers + out there that don't work unless the name is lowercased */ + Curl_strntolower(data->state.buffer, hostname, nlen); + data->state.buffer[nlen] = 0; + if(!SSL_set_tlsext_host_name(backend->handle, data->state.buffer)) + infof(data, "WARNING: failed to configure server name indication (SNI) " + "TLS extension\n"); + } #endif /* Check if there's a cached ID we can/should use here! */ |