From e926362efd87316ae0f99bdf09a9657038489f99 Mon Sep 17 00:00:00 2001
From: Maximilian Fridrich <m.fridrich@commend.com>
Date: Tue, 30 Jul 2024 09:31:23 +0200
Subject: [PATCH] tls/sni: skip SNI check if we are client or server_name not
 set

The servername_callback is also called when the server requests a
certificate in the ServerHello. However, the server will not usually
send us the server_name extension. So skip the SNI check if we are
client. Also continue if the server_name extension is not present.
---
 src/tls/openssl/sni.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c
index 8298e40fd..43b907541 100644
--- a/src/tls/openssl/sni.c
+++ b/src/tls/openssl/sni.c
@@ -165,11 +165,15 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg)
 	struct tls_cert *uc = NULL;
 	const char *sni;
 
+#if !defined(LIBRESSL_VERSION_NUMBER)
+	int ssl_state = SSL_state(ssl);
+	if (ssl_state == TLS_ST_CR_SRVR_HELLO)
+		return SSL_TLSEXT_ERR_OK;
+#endif
+
 	sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-	if (!str_isset(sni)) {
-		*al = SSL_AD_UNRECOGNIZED_NAME;
-		return SSL_TLSEXT_ERR_ALERT_FATAL;
-	}
+	if (!str_isset(sni))
+		return SSL_TLSEXT_ERR_OK;
 
 	/* find and apply matching certificate */
 	uc = tls_cert_for_sni(tls, sni);