summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorThomas Klute <thomas2.klute@uni-dortmund.de>2017-09-21 10:45:05 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2017-09-23 07:54:49 +0200
commit3ee218993521a69b39b9fc5704d02eb56b7246bb (patch)
treeb9b24dd837957414065f483fd5515bfe9b5ea759 /lib
parent30c551bd3b16ad135257778fe20a90172a8f4bbd (diff)
downloadgnutls-3ee218993521a69b39b9fc5704d02eb56b7246bb.tar.gz
Ensure the SNI extension is parsed during cache-based resumption
This patch changes the parse_type of the SNI extension to GNUTLS_EXT_MANDATORY to ensure it is parsed during every handshake. With SNI previously classified as GNUTLS_EXT_APPLICATION, GnuTLS servers ignored the SNI extension when resuming a TLS session from cache, because "application" level extensions are skipped during resumption. As a result, gnutls_server_name_get() always returned GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when called on the resumed session, breaking virtual server systems. According to RFC 6066, Section 3 the SNI extension must be parsed on session resumption if implemented at all: "A server that implements this extension MUST NOT accept the request to resume the session if the server_name extension contains a different name." This change allows applications using GnuTLS to match SNI data on resumed sessions. Signed-off-by: Thomas Klute <thomas2.klute@uni-dortmund.de>
Diffstat (limited to 'lib')
-rw-r--r--lib/ext/server_name.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
index 336dd67276..c6f1882ce2 100644
--- a/lib/ext/server_name.c
+++ b/lib/ext/server_name.c
@@ -48,7 +48,7 @@ _gnutls_server_name_set_raw(gnutls_session_t session,
const extension_entry_st ext_mod_server_name = {
.name = "Server Name Indication",
.type = GNUTLS_EXTENSION_SERVER_NAME,
- .parse_type = GNUTLS_EXT_APPLICATION,
+ .parse_type = GNUTLS_EXT_MANDATORY,
.recv_func = _gnutls_server_name_recv_params,
.send_func = _gnutls_server_name_send_params,