From 60de76e2ada650c5f87de3760771089f466a6b8a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 28 Jan 2021 20:16:55 +0100 Subject: openssl: lowercase the hostname before using it for SNI ... because it turns out several servers out there don't actually behave correctly otherwise in spite of the fact that the SNI field is specifically said to be case insensitive in RFC 6066 section 3. Reported-by: David Earl Fixes #6540 Closes #6543 --- lib/vtls/openssl.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index f99b663aa..de4c33d96 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3189,10 +3189,21 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && #endif - sni && - !SSL_set_tlsext_host_name(backend->handle, hostname)) - infof(data, "WARNING: failed to configure server name indication (SNI) " - "TLS extension\n"); + sni) { + size_t nlen = strlen(hostname); + if((long)nlen >= data->set.buffer_size) + /* this is seriously messed up */ + return CURLE_SSL_CONNECT_ERROR; + + /* RFC 6066 section 3 says the SNI field is case insensitive, but browsers + send the data lowercase and subsequently there are now numerous servers + out there that don't work unless the name is lowercased */ + Curl_strntolower(data->state.buffer, hostname, nlen); + data->state.buffer[nlen] = 0; + if(!SSL_set_tlsext_host_name(backend->handle, data->state.buffer)) + infof(data, "WARNING: failed to configure server name indication (SNI) " + "TLS extension\n"); + } #endif /* Check if there's a cached ID we can/should use here! */ -- cgit v1.2.1