Date: Sat, 01 Feb 2014 08:40:33 -0600 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Thomas Steen Rasmussen <thomas@gibfest.dk>, Sofian Brabez <sbz@FreeBSD.org>, freebsd-hackers@FreeBSD.org Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@FreeBSD.org> Subject: Re: [patch] TLS Server Name Indication (SNI) support for fetch(1) Message-ID: <52ED0761.5000301@FreeBSD.org> In-Reply-To: <52BECBE8.8080906@gibfest.dk> References: <20130608205653.GA8765@ogoshi.int.nbs-system.com> <52BECBE8.8080906@gibfest.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 12/28/2013 7:02 AM, Thomas Steen Rasmussen wrote: > On 08-06-2013 22:56, Sofian Brabez wrote: >> Hi, >> >> fetch(1) currently does not support TLS extension Server Name >> Indication (RFC >> 6066) [1] when dealing with SSL. Nowadays lot of clients and servers >> implement >> this extension. > Hello! >=20 > fetch(1) is still missing SNI support as of r259440 - any chance of > seeing this patch committed ? > As ipv4 depletion gets worse we will see SSL websites using SNI more an= d > more. This is overdue. >=20 > Thanks, and may you all have a wonderful new year! >=20 > /Thomas Steen Rasmussen This was added in head r258347 Nov 19 2013: http://svnweb.freebsd.org/changeset/base/258347 It made it to stable/10 before 10.0 and into stable/9. It works if you install ca_root_nss cert.pem: > # pkg install ca_root_nss > ... > # ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > ... > # fetch -v -o - https://sni.velox.ch|head -n 15 > looking up sni.velox.ch > connecting to sni.velox.ch:443 > SSL options: 81004bff > Peer verification enabled > Using CA cert file: /etc/ssl/cert.pem > Verify hostname > SSL connection established using ECDHE-RSA-AES256-GCM-SHA384 > Certificate subject: /C=3DCH/ST=3DZuerich/L=3DZuerich/O=3DKaspar Brand/= CN=3D*.sni.velox.ch > Certificate issuer: /C=3DBM/O=3DQuoVadis Limited/OU=3Dwww.quovadisgloba= l.com/CN=3DQuoVadis Global SSL ICA > requesting https://sni.velox.ch/ > - <!DOCTYPE html PUBLIC "-/= /W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xh= tml1-transitional.dtd"> > <html> > <head> > 5063 B<title>TLS SNI Test Site: *.sni.velox.ch</title> > </head> > 945 kBps<body> > 00m00s<h2>TLS SNI Test Site: *.sni.velox.ch</h2> >=20 >=20 > <p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong> > sent the following TLS server name indication extension > (<a href=3D"http://www.rfc-editor.org/rfc/rfc6066.txt">RFC 6066</a>) > in its ClientHello </strong>(negotiated protocol: TLSv1.2, cipher suite= : ECDHE-RSA-AES256-GCM-SHA384)<strong>:</strong></p> > <pre> <strong>sni.velox.ch</strong></pre> > <p>In your request, this header was included:</p> > <pre> Host: sni.velox.ch</pre> I'm not sure what the plan is for a base CA file, but adding ca_root_nss does allow it to work. --=20 Regards, Bryan Drewery --c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS7QdiAAoJEDXXcbtuRpfPguIH/jvwGQB0H3hUJFx6D0Z6B4rl +OvCrYBvtknyoAJmP0t3TzDjAHFKliGSqAVVf5DgXz2dB/RAqtttHZwxJkL/OA2j AT3Pmc66VBYHspCkAPZEBRMQywkbFqzLkL6S/zwsyyD51L1Ber2maMWqXGJY4RoJ OStjKw+FrfIH5OLj2u8DfAfTb6Tx5hr33kikR/nZVf+ldQoJitN5YVZlpYqA93Ny yYX73OGrS3jA59CGmgYUHCcjkOUXr+dklQpkYVKeaxwMCcGXXo2qMewv0ZJfhTDM kqjOAtLngm8dzXi+GUGE3GEThNQOtjb3hiUB9MRz/JfcxRpLTyazWGYBE/Pa/yo= =zNIT -----END PGP SIGNATURE----- --c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52ED0761.5000301>