Commit b8f34888 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#9176 check for numeric addrs before passing SNI

parent 8f174209
Pipeline #275 canceled with stage
......@@ -342,6 +342,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
Sockbuf *sb = conn->lconn_sb;
int err;
tls_session *ssl = NULL;
char *sni = host;
if ( HAS_TLS( sb )) {
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
......@@ -376,7 +377,26 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
}
err = tls_imp->ti_session_connect( ld, ssl, host );
/* pass hostname for SNI, but only if it's an actual name
* and not a numeric address
*/
{
int numeric = 1;
char *c;
for ( c = sni; *c; c++ ) {
if ( *c == ':' ) /* IPv6 address */
break;
if ( *c == '.' )
continue;
if ( !isdigit( *c )) {
numeric = 0;
break;
}
}
if ( numeric )
sni = NULL;
}
err = tls_imp->ti_session_connect( ld, ssl, sni );
#ifdef HAVE_WINSOCK
errno = WSAGetLastError();
......
......@@ -530,7 +530,9 @@ tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
int rc;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_set_tlsext_host_name( s, name_in );
if ( name_in ) {
SSL_set_tlsext_host_name( s, name_in );
}
#endif
/* Caller expects 0 = success, OpenSSL returns 1 = success */
rc = SSL_connect( s ) - 1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment