Date: Sat, 01 Feb 2014 08:40:33 -0600 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Thomas Steen Rasmussen <thomas@gibfest.dk>, Sofian Brabez <sbz@FreeBSD.org>, freebsd-hackers@FreeBSD.org Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@FreeBSD.org> Subject: Re: [patch] TLS Server Name Indication (SNI) support for fetch(1) Message-ID: <52ED0761.5000301@FreeBSD.org> In-Reply-To: <52BECBE8.8080906@gibfest.dk> References: <20130608205653.GA8765@ogoshi.int.nbs-system.com> <52BECBE8.8080906@gibfest.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 12/28/2013 7:02 AM, Thomas Steen Rasmussen wrote: > On 08-06-2013 22:56, Sofian Brabez wrote: >> Hi, >> >> fetch(1) currently does not support TLS extension Server Name >> Indication (RFC >> 6066) [1] when dealing with SSL. Nowadays lot of clients and servers >> implement >> this extension. > Hello! > > fetch(1) is still missing SNI support as of r259440 - any chance of > seeing this patch committed ? > As ipv4 depletion gets worse we will see SSL websites using SNI more and > more. This is overdue. > > Thanks, and may you all have a wonderful new year! > > /Thomas Steen Rasmussen This was added in head r258347 Nov 19 2013: http://svnweb.freebsd.org/changeset/base/258347 It made it to stable/10 before 10.0 and into stable/9. It works if you install ca_root_nss cert.pem: > # pkg install ca_root_nss > ... > # ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > ... > # fetch -v -o - https://sni.velox.ch|head -n 15 > looking up sni.velox.ch > connecting to sni.velox.ch:443 > SSL options: 81004bff > Peer verification enabled > Using CA cert file: /etc/ssl/cert.pem > Verify hostname > SSL connection established using ECDHE-RSA-AES256-GCM-SHA384 > Certificate subject: /C=CH/ST=Zuerich/L=Zuerich/O=Kaspar Brand/CN=*.sni.velox.ch > Certificate issuer: /C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA > requesting https://sni.velox.ch/ > - <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">; > <html> > <head> > 5063 B<title>TLS SNI Test Site: *.sni.velox.ch</title> > </head> > 945 kBps<body> > 00m00s<h2>TLS SNI Test Site: *.sni.velox.ch</h2> > > > <p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong> > sent the following TLS server name indication extension > (<a href="http://www.rfc-editor.org/rfc/rfc6066.txt">RFC 6066</a>) > in its ClientHello </strong>(negotiated protocol: TLSv1.2, cipher suite: ECDHE-RSA-AES256-GCM-SHA384)<strong>:</strong></p> > <pre> <strong>sni.velox.ch</strong></pre> > <p>In your request, this header was included:</p> > <pre> Host: sni.velox.ch</pre> I'm not sure what the plan is for a base CA file, but adding ca_root_nss does allow it to work. -- Regards, Bryan Drewery [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS7QdiAAoJEDXXcbtuRpfPguIH/jvwGQB0H3hUJFx6D0Z6B4rl +OvCrYBvtknyoAJmP0t3TzDjAHFKliGSqAVVf5DgXz2dB/RAqtttHZwxJkL/OA2j AT3Pmc66VBYHspCkAPZEBRMQywkbFqzLkL6S/zwsyyD51L1Ber2maMWqXGJY4RoJ OStjKw+FrfIH5OLj2u8DfAfTb6Tx5hr33kikR/nZVf+ldQoJitN5YVZlpYqA93Ny yYX73OGrS3jA59CGmgYUHCcjkOUXr+dklQpkYVKeaxwMCcGXXo2qMewv0ZJfhTDM kqjOAtLngm8dzXi+GUGE3GEThNQOtjb3hiUB9MRz/JfcxRpLTyazWGYBE/Pa/yo= =zNIT -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52ED0761.5000301>