TLS-SNI extension

udit043 · Jul 24, 2016 · 62325a3 · 62325a3
1 parent 0811a9e
commit 62325a3
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 56 deletions.
diff --git a/reflow/dtls_wrapper/DtlsSocket.cxx b/reflow/dtls_wrapper/DtlsSocket.cxx
@@ -57,10 +57,6 @@ DtlsSocket::DtlsSocket(std::auto_ptr<DtlsSocketContext> socketContext, DtlsFacto
    {
    case Client:
       {
-         /* OpenSSL < 1.0.0 does not have SSL_set_tlsext_host_name() */
-         #if defined(SSL_set_tlsext_host_name)
-            SSL_set_tlsext_host_name(mSsl,"ws.sip5060.net"); // Set hostname for SNI extension
-         #endif
          SSL_set_connect_state(mSsl);
          break;
       }

diff --git a/resip/stack/ssl/DtlsTransport.cxx b/resip/stack/ssl/DtlsTransport.cxx
@@ -468,10 +468,7 @@ void DtlsTransport::_write( FdSet& fdset )
 
 
       InfoLog( << "DTLS handshake starting (client mode)" );
-      /* OpenSSL < 1.0.0 does not have SSL_set_tlsext_host_name() */
-      #if defined(SSL_set_tlsext_host_name)
-        SSL_set_tlsext_host_name(ssl,"ws.sip5060.net"); // Set hostname for SNI extension
-      #endif
+
       SSL_set_connect_state( ssl ) ;
 
       wBio = BIO_new_dgram( (int)mFd, BIO_NOCLOSE ) ;

diff --git a/resip/stack/ssl/Security.cxx b/resip/stack/ssl/Security.cxx
@@ -123,59 +123,55 @@ verifyCallback(int iInCode, X509_STORE_CTX *pInStore)
 } 
 }
 
+bool IsDomainInDefCert(const char *servername)
+{
+   if (strcasecmp(servername, "ws.sip5060.net") == 0)
+   {
+      return true;
+   }
+   else
+   {
+      return false;
+   }
+}
 
-//*static int 
-//ServerNameCallback(SSL *ssl, int *ad, void *arg)
-//{
-//    resip_assert(ssl);
-//    if (ssl == NULL)
-//        return SSL_TLSEXT_ERR_NOACK;
-
-//    const char* servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-//    resip_assert(servername && servername[0]);
-//    if (!servername || servername[0] == '\0')
-//        return SSL_TLSEXT_ERR_NOACK;
-//*/
-    /* Does the default cert already handle this domain? */
-//    if (SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verifyCallback))
-//        return SSL_TLSEXT_ERR_OK;
-
-//   /* Need a new certificate for this domain */
-//    SSL_CTX* ctx = GetServerContext(servername);
-//    resip_assert(ctx != NULL);
-//    if (ctx == NULL)
-//        return SSL_TLSEXT_ERR_NOACK;   
-
-//    return SSL_TLSEXT_ERR_OK;
-//}
-
-/* This is a context that we pass to callbacks */
-typedef struct tlsextctx_st {
-    char *servername;
-    BIO *biodebug;
-    int extension_error;
-} tlsextctx;
+/*SSL_CTX* GetServerContext(const char *servername)
+{
+   if (strcasecmp(servername, "ws.sip5060.net") == 0)
+   {
+      //certnum = 2;
+      Node = "195.8.117.57:443";
+      NodeName = "ws.sip5060.net";
+      DebugLog(<<"Switching to ws.sip5060.net");
+      return m_ssl_ctx2;
+      
+   }
+   return m_ssl_ctx;
+}*/
 
 static int
-ssl_servername_cb(SSL *s, int *ad, void *arg)
+ssl_servername_cb(SSL *ssl, int *ad, void *arg)
 {
-    tlsextctx *p = (tlsextctx *) arg;
-    const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
-    if (servername && p->biodebug)
-        BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n",
-                   servername);
+    resip_assert(ssl);
+    if (ssl == NULL)
+        return SSL_TLSEXT_ERR_NOACK;
+
+    const char* servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+    resip_assert(servername && servername[0]);
+    if (!servername || servername[0] == '\0')
+        return SSL_TLSEXT_ERR_NOACK;
 
-    if (!p->servername)
+    /* Does the default cert already handle this domain? */
+    if (!IsDomainInDefCert(servername))
         return SSL_TLSEXT_ERR_NOACK;
 
-    /*if (servername) {
-        if (strcasecmp(servername, p->servername))
-            return p->extension_error;
-        if (mTlsCtx) {
-            BIO_printf(p->biodebug, "Switching server context.\n");
-            SSL_set_SSL_CTX(s, mTlsCtx);
-        }
-    }*/
+    /* Need a new certificate for this domain */
+/*    SSL_CTX* ctx = GetServerContext(servername);
+    resip_assert(ctx != NULL);
+    if (ctx == NULL)
+        return SSL_TLSEXT_ERR_NOACK;   
+*/
+
     return SSL_TLSEXT_ERR_OK;
 }
 
@@ -1207,8 +1203,8 @@ BaseSecurity::BaseSecurity (const CipherList& cipherSuite, const Data& defaultPr
 
    SSL_CTX_set_default_passwd_cb(mTlsCtx, pem_passwd_cb);
    SSL_CTX_set_cert_store(mTlsCtx, mRootTlsCerts);
-   SSL_CTX_set_tlsext_servername_callback(mTlsCtx,ssl_servername_cb);
    SSL_CTX_set_verify(mTlsCtx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verifyCallback);
+   SSL_CTX_set_tlsext_servername_callback(mTlsCtx,ssl_servername_cb);
    ret = SSL_CTX_set_cipher_list(mTlsCtx, cipherSuite.cipherList().c_str());
    resip_assert(ret);
    setDHParams(mTlsCtx);
@@ -1220,6 +1216,7 @@ BaseSecurity::BaseSecurity (const CipherList& cipherSuite, const Data& defaultPr
    SSL_CTX_set_default_passwd_cb(mSslCtx, pem_passwd_cb);
    SSL_CTX_set_cert_store(mSslCtx, mRootSslCerts);
    SSL_CTX_set_verify(mSslCtx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verifyCallback);
+   SSL_CTX_set_tlsext_servername_callback(mSslCtx,ssl_servername_cb);   
    ret = SSL_CTX_set_cipher_list(mSslCtx,cipherSuite.cipherList().c_str());
    resip_assert(ret);
    setDHParams(mSslCtx);

diff --git a/resip/stack/ssl/TlsConnection.cxx b/resip/stack/ssl/TlsConnection.cxx
@@ -208,7 +208,7 @@ TlsConnection::checkState()
          InfoLog( << "TLS handshake starting (client mode)" );
          /* OpenSSL < 1.0.0 does not have SSL_set_tlsext_host_name() */
          #if defined(SSL_set_tlsext_host_name)
-            SSL_set_tlsext_host_name(mSsl,"ws.sip5060.net"); // Set hostname for SNI extension
+            SSL_set_tlsext_host_name(mSsl,"ws.sip5060.net"); // Set hostname for SNI extension //who().getTargetDomain()
          #endif
          SSL_set_connect_state(mSsl);
          mTlsState = Handshaking;