diff options
| author | Thomas Klute <thomas2.klute@uni-dortmund.de> | 2017-09-21 10:45:05 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-23 07:54:49 +0200 |
| commit | 3ee218993521a69b39b9fc5704d02eb56b7246bb (patch) | |
| tree | b9b24dd837957414065f483fd5515bfe9b5ea759 | |
| parent | 30c551bd3b16ad135257778fe20a90172a8f4bbd (diff) | |
| download | gnutls-3ee218993521a69b39b9fc5704d02eb56b7246bb.tar.gz | |
Ensure the SNI extension is parsed during cache-based resumption
This patch changes the parse_type of the SNI extension to
GNUTLS_EXT_MANDATORY to ensure it is parsed during every handshake.
With SNI previously classified as GNUTLS_EXT_APPLICATION, GnuTLS
servers ignored the SNI extension when resuming a TLS session from
cache, because "application" level extensions are skipped during
resumption. As a result, gnutls_server_name_get() always returned
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when called on the resumed
session, breaking virtual server systems.
According to RFC 6066, Section 3 the SNI extension must be parsed on
session resumption if implemented at all:
"A server that implements this extension MUST NOT accept the request
to resume the session if the server_name extension contains a
different name."
This change allows applications using GnuTLS to match SNI data on
resumed sessions.
Signed-off-by: Thomas Klute <thomas2.klute@uni-dortmund.de>
| -rw-r--r-- | lib/ext/server_name.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c index 336dd67276..c6f1882ce2 100644 --- a/lib/ext/server_name.c +++ b/lib/ext/server_name.c @@ -48,7 +48,7 @@ _gnutls_server_name_set_raw(gnutls_session_t session, const extension_entry_st ext_mod_server_name = { .name = "Server Name Indication", .type = GNUTLS_EXTENSION_SERVER_NAME, - .parse_type = GNUTLS_EXT_APPLICATION, + .parse_type = GNUTLS_EXT_MANDATORY, .recv_func = _gnutls_server_name_recv_params, .send_func = _gnutls_server_name_send_params, |