From 3ee218993521a69b39b9fc5704d02eb56b7246bb Mon Sep 17 00:00:00 2001 From: Thomas Klute Date: Thu, 21 Sep 2017 10:45:05 +0200 Subject: Ensure the SNI extension is parsed during cache-based resumption This patch changes the parse_type of the SNI extension to GNUTLS_EXT_MANDATORY to ensure it is parsed during every handshake. With SNI previously classified as GNUTLS_EXT_APPLICATION, GnuTLS servers ignored the SNI extension when resuming a TLS session from cache, because "application" level extensions are skipped during resumption. As a result, gnutls_server_name_get() always returned GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when called on the resumed session, breaking virtual server systems. According to RFC 6066, Section 3 the SNI extension must be parsed on session resumption if implemented at all: "A server that implements this extension MUST NOT accept the request to resume the session if the server_name extension contains a different name." This change allows applications using GnuTLS to match SNI data on resumed sessions. Signed-off-by: Thomas Klute --- lib/ext/server_name.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c index 336dd67276..c6f1882ce2 100644 --- a/lib/ext/server_name.c +++ b/lib/ext/server_name.c @@ -48,7 +48,7 @@ _gnutls_server_name_set_raw(gnutls_session_t session, const extension_entry_st ext_mod_server_name = { .name = "Server Name Indication", .type = GNUTLS_EXTENSION_SERVER_NAME, - .parse_type = GNUTLS_EXT_APPLICATION, + .parse_type = GNUTLS_EXT_MANDATORY, .recv_func = _gnutls_server_name_recv_params, .send_func = _gnutls_server_name_send_params, -- cgit v1.2.1