mbedtls: set the right SNI name

author: Daniel Stenberg <daniel@haxx.se> 2022-01-22 23:57:59 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2022-01-23 11:59:54 +0100
commit: 40dd059a92625767c8c1865434069e55fccfbe8f (patch)
tree: def1592b098dc379b41fcd557f36a752b8681fbe
parent: dd4c8a0ab2be0c020b356edc569b7aedbfe7a474 (diff)
download: curl-40dd059a92625767c8c1865434069e55fccfbe8f.tar.gz
1 files changed, 9 insertions, 6 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 4dd7efa2b..c31dbd7d4 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -561,12 +561,15 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
     mbedtls_ssl_conf_own_cert(&backend->config,
                               &backend->clicert, &backend->pk);
   }
-  if(mbedtls_ssl_set_hostname(&backend->ssl, hostname)) {
-    /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
-       the name to set in the SNI extension. So even if curl connects to a
-       host specified as an IP address, this function must be used. */
-    failf(data, "couldn't set hostname in mbedTLS");
-    return CURLE_SSL_CONNECT_ERROR;
+  {
+    char *snihost = Curl_ssl_snihost(data, hostname, NULL);
+    if(!snihost || mbedtls_ssl_set_hostname(&backend->ssl, snihost)) {
+      /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
+         the name to set in the SNI extension. So even if curl connects to a
+         host specified as an IP address, this function must be used. */
+      failf(data, "couldn't set hostname in mbedTLS");
+      return CURLE_SSL_CONNECT_ERROR;
+    }
   }
 
 #ifdef HAS_ALPN
author	Daniel Stenberg <daniel@haxx.se>	2022-01-22 23:57:59 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2022-01-23 11:59:54 +0100
commit	40dd059a92625767c8c1865434069e55fccfbe8f (patch)
tree	def1592b098dc379b41fcd557f36a752b8681fbe
parent	dd4c8a0ab2be0c020b356edc569b7aedbfe7a474 (diff)
download	curl-40dd059a92625767c8c1865434069e55fccfbe8f.tar.gz