aboutsummaryrefslogtreecommitdiffstats
path: root/main/imap/2014_openssl1.1.1_sni.patch
blob: af2bf99962fc14ecb24c4ebf1f2ae45c9813a9fd (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Bug-Debian: https://bugs.debian.org/916041
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1834340
Description: 
 Google IMAP servers require SNI if TLSv1.3 is used,
 otherwise it sends a self-signed certificate which
 fails validation.

 OpenSSL support/versions:
 - TLSv1.3 on 1.1.1,
 - a2i_IPADDRESS() on 0.9.8'ish,
 - SSL_set_tlsext_host_name() on 0.9.8'ish/1.0.0;
 per 'git blame/describe' and the CHANGES file.

 So check for TLSv1.3 support / OpenSSL 1.1.1
 not to incur behavior changes on pre-TLSv1.3,
 and set host_name to 'host' (ssl_open_verify()
 validates this, via 'ssl_last_host' variable)

 This patch just combines these two patches:
 - BTS#916041 (message #5) by Ed Spiridonov,
 - LP#916041 (comment #6) by David Zuelke.
Author: Mauricio Faria de Oliveira <mfo@canonical.com>

--- a/src/osdep/unix/ssl_unix.c
+++ b/src/osdep/unix/ssl_unix.c
@@ -266,6 +266,14 @@ static char *ssl_start_work (SSLSTREAM *
 				/* create connection */
   if (!(stream->con = (SSL *) SSL_new (stream->context)))
     return "SSL connection failed";
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+  /* Use SNI in case server requires it with TLSv1.3.
+   * Literal IP addresses not permitted per RFC 6066. */
+  if (!a2i_IPADDRESS(host)) {
+    ERR_clear_error();
+    SSL_set_tlsext_host_name(stream->con,host);
+  }
+#endif
   bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
   SSL_set_bio (stream->con,bio,bio);
   SSL_set_connect_state (stream->con);