changeset: 6965:9d3d80dd963a user: Kevin McCarthy <ke...@8t8.us> date: Thu Mar 09 13:00:10 2017 -0800 link: http://dev.mutt.org/hg/mutt/rev/9d3d80dd963a
Add SNI support for OpenSSL. (see #3923) The original patch for this is by Phil Pennock at: https://people.spodhuis.org/phil.pennock/software/mutt-patches/ I have removed the OpenSSL version check and defined(OPENSSL_NO_TLSEXT) check because: * SSL_set_tlsext_host_name() was added in 0.9.8f [11 Oct 2007] * OpenSSL 1.1 no longer has the OPENSSL_NO_TLSEXT compilation option * https://rt.openssl.org/Ticket/Display.html?id=2788&user=guest&pass=guest shows that the no-tlsext compilation option has been broken for some time. * Going forward, I'd like to minimize and start removing cruft required to support ancient/insecure versions of libraries. diffs (20 lines): diff -r be5d02a8e782 -r 9d3d80dd963a mutt_ssl.c --- a/mutt_ssl.c Thu Mar 09 11:59:31 2017 -0800 +++ b/mutt_ssl.c Thu Mar 09 13:00:10 2017 -0800 @@ -551,6 +551,16 @@ SSL_set_verify (ssldata->ssl, SSL_VERIFY_PEER, ssl_verify_callback); SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY); + + if (!SSL_set_tlsext_host_name (ssldata->ssl, conn->account.host)) + { + /* L10N: This is a warning when trying to set the host name for + * TLS Server Name Indication (SNI). This allows the server to present + * the correct certificate if it supports multiple hosts. */ + mutt_error _("Warning: unable to set TLS SNI host name"); + mutt_sleep (1); + } + ERR_clear_error (); if ((err = SSL_connect (ssldata->ssl)) != 1)
