From owner-freebsd-hackers@FreeBSD.ORG Sat Jun 8 20:56:58 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4D9491A1; Sat, 8 Jun 2013 20:56:58 +0000 (UTC) (envelope-from sbrabez@gmail.com) Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) by mx1.freebsd.org (Postfix) with ESMTP id B1C6A130E; Sat, 8 Jun 2013 20:56:57 +0000 (UTC) Received: by mail-wg0-f45.google.com with SMTP id n12so4052047wgh.24 for ; Sat, 08 Jun 2013 13:56:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=Y558XKztCvbvqWC0BWDT/E3h+fvdBQELG1RYfwCNTXs=; b=JOyCOweirnDtfseqvC497et5EvfG2mGHkZe0tG43W0Fxlx3ItRRoJJtD0H5KdWpfrE PJN7mKBAPpEfG0Y93Szvdkgt4ByBzjrRSxNJax1Z6BJdUJ3ATVqtbzWqmGdD2QMZG49V Eegdg5jN7hNNAvLVNnIfDMrxNfJHnXmdRG/nkmU2yG/S9EBDXd3fbP5WQpQA8tNpZCPR 1IwcjV4lvAeWGwL4QkTzEx6VF9lcRjkYTOxPR3zI5xf604n2wZF8a/qnwTvHDHC+vzyT 97jWglLxIVRWYzOkQBIaCAcDMG0FB9C9E5QWvYzZ8y0B+QdIFA4CHCoxN/6XKaTcxx2l Tqkw== X-Received: by 10.194.5.162 with SMTP id t2mr2246826wjt.14.1370725016920; Sat, 08 Jun 2013 13:56:56 -0700 (PDT) Received: from ogoshi.int.nbs-system.com ([2a01:e35:2ee4:8db0:a11:96ff:fe8c:77ec]) by mx.google.com with ESMTPSA id r9sm3878797wik.1.2013.06.08.13.56.55 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 08 Jun 2013 13:56:56 -0700 (PDT) Sender: Sofian Brabez Date: Sat, 8 Jun 2013 22:56:53 +0200 From: Sofian Brabez To: freebsd-hackers@FreeBSD.org Subject: [patch] TLS Server Name Indication (SNI) support for fetch(1) Message-ID: <20130608205653.GA8765@ogoshi.int.nbs-system.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jun 2013 20:56:58 -0000 --VrqPEDrXMn8OVzN4 Content-Type: multipart/mixed; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, fetch(1) currently does not support TLS extension Server Name Indication (RFC 6066) [1] when dealing with SSL. Nowadays lot of clients and servers implement this extension. Using the TLS SNI Test website sni.velox.ch [2], the test fails in r251550: % fetch -o out https://sni.velox.ch/ && grep 'libfetch' out fetch: https://sni.velox.ch/: size of remote file is not known out 5101 B 134 kBps 00m00s

Unfortunately, your client [fetch libfetch/2.0] After patching lib/libfetch with my changes: % cd /usr/src/lib/libfetch % patch -p0 < <(fetch -o - http://people.freebsd.org/~sbz/fetch_ssl_sni.diff) And after rebuilding lib/libfetch library and usr.bin/fetch program, the test suceeded: % fetch -o out https://sni.velox.ch/ && grep 'libfetch' out fetch: https://sni.velox.ch/: size of remote file is not known out 5063 B 104 kBps 00m00s

Great! Your client [fetch libfetch/2.0] Our OpenSSL version 1.0.1c in base support this extension already. s_client too using -servername argument: % openssl version OpenSSL 1.0.1c-freebsd 10 May 2012 % openssl s_client -h 2>&1| grep servername -servername host - Set TLS extension servername in ClientHello % openssl s_client -connect sni.velox.ch:443 -servername sni.velox.ch -tlsextdebug 2>/dev/null|grep 'extension' TLS server extension "server name" (id=0), len=0 TLS server extension "renegotiation info" (id=65281), len=1 TLS server extension "EC point formats" (id=11), len=4 TLS server extension "session ticket" (id=35), len=0 TLS server extension "heartbeat" (id=15), len=1 You will find the patch here [3] and as inline attachment. Is it OK for your des@ ? Regards [1] http://en.wikipedia.org/wiki/Server_Name_Indication [2] https://sni.velox.ch/ [3] http://people.freebsd.org/~sbz/fetch_ssl_sni.diff -- Sofian Brabez --AqsLC8rIMeq19msA Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="fetch_ssl_sni.diff" Index: common.c =================================================================== --- common.c (revision 251547) +++ common.c (working copy) @@ -322,7 +322,7 @@ * Enable SSL on a connection. */ int -fetch_ssl(conn_t *conn, int verbose) +fetch_ssl(conn_t *conn, int verbose, char *hostname) { #ifdef WITH_SSL int ret, ssl_err; @@ -345,6 +345,14 @@ return (-1); } SSL_set_fd(conn->ssl, conn->sd); + +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) + if (!SSL_set_tlsext_host_name(conn->ssl, hostname)) { + fprintf(stderr, "TLS server name indication extension failed for host %s\n", hostname); + return (-1); + } +#endif + while ((ret = SSL_connect(conn->ssl)) == -1) { ssl_err = SSL_get_error(conn->ssl, ret); if (ssl_err != SSL_ERROR_WANT_READ && Index: common.h =================================================================== --- common.h (revision 251547) +++ common.h (working copy) @@ -87,7 +87,7 @@ conn_t *fetch_connect(const char *, int, int, int); conn_t *fetch_reopen(int); conn_t *fetch_ref(conn_t *); -int fetch_ssl(conn_t *, int); +int fetch_ssl(conn_t *, int, char*); ssize_t fetch_read(conn_t *, char *, size_t); int fetch_getln(conn_t *); ssize_t fetch_write(conn_t *, const char *, size_t); Index: http.c =================================================================== --- http.c (revision 251547) +++ http.c (working copy) @@ -1408,7 +1408,7 @@ http_get_reply(conn); } if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 && - fetch_ssl(conn, verbose) == -1) { + fetch_ssl(conn, verbose, URL->host) == -1) { fetch_close(conn); /* grrr */ errno = EAUTH; --AqsLC8rIMeq19msA-- --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlGzmpUACgkQc2NR9CSH5X4kRQCcDTQFiKXD093kT4opXIqeSDH+ 3UcAoIGE29PC/CN9RpZXdygkPIYylKXM =bIOQ -----END PGP SIGNATURE----- --VrqPEDrXMn8OVzN4--