diff options
| author | Thomas Klute <thomas2.klute@uni-dortmund.de> | 2017-09-21 10:45:05 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-24 10:55:27 +0200 |
| commit | 78fb46afbe738c780ec056a5da18683344b0dc82 (patch) | |
| tree | d877959e8619db438d9ac1fb092077914d08b927 | |
| parent | a9601277ae361ed060eb99397e05ba793361feae (diff) | |
| download | gnutls-78fb46afbe738c780ec056a5da18683344b0dc82.tar.gz | |
Ensure the SNI extension is parsed during cache-based resumption
This patch changes the parse_type of the SNI extension to
GNUTLS_EXT_MANDATORY to ensure it is parsed during every handshake.
With SNI previously classified as GNUTLS_EXT_APPLICATION, GnuTLS
servers ignored the SNI extension when resuming a TLS session from
cache, because "application" level extensions are skipped during
resumption. As a result, gnutls_server_name_get() always returned
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when called on the resumed
session, breaking virtual server systems.
According to RFC 6066, Section 3 the SNI extension must be parsed on
session resumption if implemented at all:
"A server that implements this extension MUST NOT accept the request
to resume the session if the server_name extension contains a
different name."
This change allows applications using GnuTLS to match SNI data on
resumed sessions.
Signed-off-by: Thomas Klute <thomas2.klute@uni-dortmund.de>
| -rw-r--r-- | lib/ext/server_name.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c index 93234f1c10..1454818967 100644 --- a/lib/ext/server_name.c +++ b/lib/ext/server_name.c @@ -47,7 +47,7 @@ _gnutls_server_name_set_raw(gnutls_session_t session, const extension_entry_st ext_mod_server_name = { .name = "Server Name Indication", .type = GNUTLS_EXTENSION_SERVER_NAME, - .parse_type = GNUTLS_EXT_APPLICATION, + .parse_type = GNUTLS_EXT_MANDATORY, .recv_func = _gnutls_server_name_recv_params, .send_func = _gnutls_server_name_send_params, |