diff options
author | Daniel Stenberg <daniel@haxx.se> | 2021-01-28 20:16:55 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-01-29 10:40:01 +0100 |
commit | 60de76e2ada650c5f87de3760771089f466a6b8a (patch) | |
tree | d758616ef7b7413c60fe97533d6542ec8e050f05 | |
parent | 36ef64841d5ee4071af805a83096c06036c8433f (diff) | |
download | curl-60de76e2ada650c5f87de3760771089f466a6b8a.tar.gz |
openssl: lowercase the hostname before using it for SNI
... because it turns out several servers out there don't actually behave
correctly otherwise in spite of the fact that the SNI field is
specifically said to be case insensitive in RFC 6066 section 3.
Reported-by: David Earl
Fixes #6540
Closes #6543
-rw-r--r-- | lib/vtls/openssl.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index f99b663aa..de4c33d96 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3189,10 +3189,21 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && #endif - sni && - !SSL_set_tlsext_host_name(backend->handle, hostname)) - infof(data, "WARNING: failed to configure server name indication (SNI) " - "TLS extension\n"); + sni) { + size_t nlen = strlen(hostname); + if((long)nlen >= data->set.buffer_size) + /* this is seriously messed up */ + return CURLE_SSL_CONNECT_ERROR; + + /* RFC 6066 section 3 says the SNI field is case insensitive, but browsers + send the data lowercase and subsequently there are now numerous servers + out there that don't work unless the name is lowercased */ + Curl_strntolower(data->state.buffer, hostname, nlen); + data->state.buffer[nlen] = 0; + if(!SSL_set_tlsext_host_name(backend->handle, data->state.buffer)) + infof(data, "WARNING: failed to configure server name indication (SNI) " + "TLS extension\n"); + } #endif /* Check if there's a cached ID we can/should use here! */ |