From e98e6de9a8dea9ab9358813c1ed3a787f12bdb8f Mon Sep 17 00:00:00 2001 From: Maximilian Fridrich Date: Tue, 30 Jul 2024 09:31:23 +0200 Subject: [PATCH] tls/sni: skip SNI check if we are client or server_name not set The servername_callback is also called when the server requests a certificate in the ServerHello. However, the server will not usually send us the server_name extension. So skip the SNI check if we are client. Also continue if the server_name extension is not present. --- src/tls/openssl/sni.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c index 8298e40fd..f4b9fcc7d 100644 --- a/src/tls/openssl/sni.c +++ b/src/tls/openssl/sni.c @@ -165,11 +165,12 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg) struct tls_cert *uc = NULL; const char *sni; + if (!SSL_is_server(ssl)) + return SSL_TLSEXT_ERR_OK; + sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - if (!str_isset(sni)) { - *al = SSL_AD_UNRECOGNIZED_NAME; - return SSL_TLSEXT_ERR_ALERT_FATAL; - } + if (!str_isset(sni)) + return SSL_TLSEXT_ERR_OK; /* find and apply matching certificate */ uc = tls_cert_for_sni(tls, sni);