Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI support #258

Open
arekm opened this issue Aug 5, 2016 · 5 comments
Open

SNI support #258

arekm opened this issue Aug 5, 2016 · 5 comments

Comments

@arekm
Copy link

arekm commented Aug 5, 2016

libetspan seems to not call SSL_set_tlsext_host_name() for indicating TLS SNI [1] which causes that it gets wrong certificate from (for example) imap server.

So this is feature request about adding SNI support.

openssl-*/apps/s_client.c does that in such way:

    if (servername != NULL) {
        if (!SSL_set_tlsext_host_name(con, servername)) {
            BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
            ERR_print_errors(bio_err);
            goto end;
        }
    }

so I hope it is also easy for libetpan.

  1. https://en.wikipedia.org/wiki/Server_Name_Indication
@mschwendt
Copy link

Indeed, this is also affecting a gnutls based build with TLS 1.3 enabled, such as Claws Mail on Fedora 29 when contacting Google Mail via IMAP.

@dinhvh
Copy link
Owner

dinhvh commented Sep 23, 2018

Could you send a pull request? Thanks!

@mschwendt
Copy link

If I knew enough of the internals of libetpan, I would know where to access the server name of that would be needed. I've ended up in src/data-types/mailstream_ssl.c when I had a look, but didn't find it.

@MadAlexUK
Copy link
Contributor

MadAlexUK commented Oct 20, 2018
edited
Loading

I'm wanting SNI support in Claws Mail as well.

It looks to me like it would be a huge pain to feed the server name (when there is one) all the way through from where the socket is opened to where the TLS configuration happens. At present only the file descriptor of the socket is passed through to the mailstream implementations and many functions would need to be modified to pass more information through.

On the other hand, it would be easy enough to add a new exported function for clients to call from within the optional callback (e.g. when using mailstream_ssl_open_with_callback_timeout), passing in the host name they want to be sent as the server name identification, much like the mechanism for setting a client certificate. That would also give the client the flexibility a) to choose whether to use SNI or not and b) to support odd corner cases like connecting using a known IP address to avoid a DNS lookup yet still supplying the host name for SNI.

I have seen a very experimental patch work against gnutls in conjunction with a very experimental patch to Claws Mail. If the approach is considered reasonable I will finish testing against openssl and submit a pull request, just as soon as I've figured out how to use GitHub sufficiently to do that!

@MadAlexUK MadAlexUK mentioned this issue Oct 20, 2018
Merged
@MadAlexUK
Copy link
Contributor

Candidate pull request following the approach I suggested created, for consideration. Experimental patch for Claws Mail that utilises it attached to http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4103 in case it helps anybody.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arekm @dinhvh @mschwendt @MadAlexUK