[Lynx-dev] [PATCH] TLS SNI support

[Phil Pennock]

[ my subscription has been moderated; I'm hoping the moderator lets this
  post through ]

Please find attached a short and simple patch to add TLS SNI support to
lynx; SNI, or Server Name Indication, means that the TLS client
basically adds some extra information to the TLS handshake to indicate
the hostname to which it's connecting (RFC 4366, and RFC 3546 before
that).

Patch against lynx 2-8-6 tested on FreeBSD 7.0/amd64 with OpenSSL 0.9.8k.

The OpenSSL CHANGES file lists SSL_set_tlsext_host_name as added in
0.9.8f, which corresponds to 0x0090806fL.  If OpenSSL was *not* built
with SNI explicitly enabled (via "enable-tlsext" to EXTRACONFIGURE) then
OPENSSL_NO_TLSEXT will be defined.

So, as long as OpenSSL was built with SNI support, lynx with this patch
will automatically gain SNI support.

The client just passes the hostname field unfiltered.  Theoretically,
there should be a check to guard against this being an IP address but in
practice we just pass a textual IP address as a hostname -- the way I
wrote this seemed most consistent with the existing code-base.  This is
a corner-case and I doubt that anything will break much for it -- who is
using https with IP addresses anyway?

No additional error-checking is done or needed -- we say "we're going to
try to connect to this hostname" and if the server doesn't pass back an
appropriate certificate then we'll get an error during certificate
verification.

An obvious test site is:
  https://sni.velox.ch/

I tested this against my own web-server, which is running Apache with
the same patches.

Regards,
-Phil

--- WWW/Library/Implementation/HTTP.c.pre-pdp   2009-03-31 23:21:14.000000000 
+0000
+++ WWW/Library/Implementation/HTTP.c   2009-03-31 23:33:19.000000000 +0000
@@ -606,9 +606,19 @@ static int HTLoadHTTP(const char *arg,
     if (did_connect || !strncmp(url, "https", 5)) {
        SSL_handle = handle = HTGetSSLHandle();
        SSL_set_fd(handle, s);
+       /* get host we're connecting to */
+       ssl_host = HTParse(url, "", PARSE_HOST);
+       /* strip port number */
+       if ((p = strchr(ssl_host, ':')) != NULL)
+           *p = '\0';
 #if SSLEAY_VERSION_NUMBER >= 0x0900
-       if (!try_tls)
+       if (!try_tls) {
            handle->options |= SSL_OP_NO_TLSv1;
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+       } else {
+           SSL_set_tlsext_host_name(handle, ssl_host);
+#endif
+       }
 #endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
        HTSSLInitPRNG();
        status = SSL_connect(handle);
@@ -720,11 +730,7 @@ static int HTLoadHTTP(const char *arg,
        status_sslcertcheck = 0;        /* 0 = no CN found in DN */
        ssl_dn_start = ssl_dn;
        ssl_all_cns = NULL;
-       /* get host we're connecting to */
-       ssl_host = HTParse(url, "", PARSE_HOST);
-       /* strip port number */
-       if ((p = strchr(ssl_host, ':')) != NULL)
-           *p = '\0';
+       /* ssl_host now set above for passing to SNI TLS ext*/
        /* validate all CNs found in DN */
        while ((cert_host = strstr(ssl_dn_start, "/CN=")) != NULL) {
            status_sslcertcheck = 1;    /* 1 = could not verify CN */

pgpgxBZ4dW6id.pgp
Description: PGP signature