diff options
Diffstat (limited to '')
-rw-r--r-- | tls_client.c | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/tls_client.c b/tls_client.c index 0743495..47ebc40 100644 --- a/tls_client.c +++ b/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.45 2018/03/19 16:34:47 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.47 2021/06/01 20:26:11 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -280,6 +280,7 @@ static int tls_connect_common(struct tls *ctx, const char *servername) { union tls_addr addrbuf; + size_t servername_len; int rv = -1; if ((ctx->flags & TLS_CLIENT) == 0) { @@ -292,6 +293,17 @@ tls_connect_common(struct tls *ctx, const char *servername) tls_set_errorx(ctx, "out of memory"); goto err; } + + /* + * If there's a trailing dot, remove it. While an FQDN includes + * the terminating dot representing the zero-length label of + * the root (RFC 8499, section 2), the SNI explicitly does not + * include it (RFC 6066, section 3). + */ + servername_len = strlen(ctx->servername); + if (servername_len > 0 && + ctx->servername[servername_len - 1] == '.') + ctx->servername[servername_len - 1] = '\0'; } if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { @@ -307,7 +319,7 @@ tls_connect_common(struct tls *ctx, const char *servername) goto err; if (ctx->config->verify_name) { - if (servername == NULL) { + if (ctx->servername == NULL) { tls_set_errorx(ctx, "server name not specified"); goto err; } @@ -351,13 +363,14 @@ tls_connect_common(struct tls *ctx, const char *servername) } /* - * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not + * RFC 6066 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". */ - if (servername != NULL && - inet_pton(AF_INET, servername, &addrbuf) != 1 && - inet_pton(AF_INET6, servername, &addrbuf) != 1) { - if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { + if (ctx->servername != NULL && + inet_pton(AF_INET, ctx->servername, &addrbuf) != 1 && + inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) { + if (SSL_set_tlsext_host_name(ctx->ssl_conn, + ctx->servername) == 0) { tls_set_errorx(ctx, "server name indication failure"); goto err; } |