[glib-networking/no-ip-in-sni: 2/2] Do not fill SNI extension with IP address




commit b6bf72806097ccf0ddeb892f68ce10e1d15483ec
Author: Matteo Biggio <biggio amazon com>
Date:   Wed Dec 29 17:50:54 2021 +0100

    Do not fill SNI extension with IP address
    
    Sending a "ClientHello" message with an SNI extension containing
    the IP address, is forbidden, according to RFC 4366:
    https://datatracker.ietf.org/doc/html/rfc4366#section-3.1

 tls/gnutls/gtlsclientconnection-gnutls.c   | 2 +-
 tls/openssl/gtlsclientconnection-openssl.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/tls/gnutls/gtlsclientconnection-gnutls.c b/tls/gnutls/gtlsclientconnection-gnutls.c
index bd67fc10..9045270b 100644
--- a/tls/gnutls/gtlsclientconnection-gnutls.c
+++ b/tls/gnutls/gtlsclientconnection-gnutls.c
@@ -347,7 +347,7 @@ g_tls_client_connection_gnutls_set_property (GObject      *object,
       gnutls->server_identity = g_value_dup_object (value);
 
       hostname = get_server_identity (gnutls);
-      if (hostname)
+      if (hostname && !g_hostname_is_ip_address (hostname))
         {
           gnutls_session_t session = g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (gnutls));
 
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 2fc8149f..263596b8 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -520,7 +520,7 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
   SSL_set_ex_data (client->ssl, data_index, client);
 
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-  if (hostname)
+  if (hostname && !g_hostname_is_ip_address (hostname))
     SSL_set_tlsext_host_name (client->ssl, hostname);
 #endif
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]