From owner-freebsd-hackers@FreeBSD.ORG Sat Feb 1 14:40:40 2014 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9F679FDC for ; Sat, 1 Feb 2014 14:40:40 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7BE281365 for ; Sat, 1 Feb 2014 14:40:40 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s11Eee11063740 for ; Sat, 1 Feb 2014 14:40:40 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s11EeeTq063636 for freebsd-hackers@FreeBSD.org; Sat, 1 Feb 2014 14:40:40 GMT (envelope-from bdrewery) Received: (qmail 47818 invoked from network); 1 Feb 2014 08:40:36 -0600 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 1 Feb 2014 08:40:36 -0600 Message-ID: <52ED0761.5000301@FreeBSD.org> Date: Sat, 01 Feb 2014 08:40:33 -0600 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Thomas Steen Rasmussen , Sofian Brabez , freebsd-hackers@FreeBSD.org Subject: Re: [patch] TLS Server Name Indication (SNI) support for fetch(1) References: <20130608205653.GA8765@ogoshi.int.nbs-system.com> <52BECBE8.8080906@gibfest.dk> In-Reply-To: <52BECBE8.8080906@gibfest.dk> X-Enigmail-Version: 1.6 OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd" Cc: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Feb 2014 14:40:40 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 12/28/2013 7:02 AM, Thomas Steen Rasmussen wrote: > On 08-06-2013 22:56, Sofian Brabez wrote: >> Hi, >> >> fetch(1) currently does not support TLS extension Server Name >> Indication (RFC >> 6066) [1] when dealing with SSL. Nowadays lot of clients and servers >> implement >> this extension. > Hello! >=20 > fetch(1) is still missing SNI support as of r259440 - any chance of > seeing this patch committed ? > As ipv4 depletion gets worse we will see SSL websites using SNI more an= d > more. This is overdue. >=20 > Thanks, and may you all have a wonderful new year! >=20 > /Thomas Steen Rasmussen This was added in head r258347 Nov 19 2013: http://svnweb.freebsd.org/changeset/base/258347 It made it to stable/10 before 10.0 and into stable/9. It works if you install ca_root_nss cert.pem: > # pkg install ca_root_nss > ... > # ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > ... > # fetch -v -o - https://sni.velox.ch|head -n 15 > looking up sni.velox.ch > connecting to sni.velox.ch:443 > SSL options: 81004bff > Peer verification enabled > Using CA cert file: /etc/ssl/cert.pem > Verify hostname > SSL connection established using ECDHE-RSA-AES256-GCM-SHA384 > Certificate subject: /C=3DCH/ST=3DZuerich/L=3DZuerich/O=3DKaspar Brand/= CN=3D*.sni.velox.ch > Certificate issuer: /C=3DBM/O=3DQuoVadis Limited/OU=3Dwww.quovadisgloba= l.com/CN=3DQuoVadis Global SSL ICA > requesting https://sni.velox.ch/ > - > > > 5063 BTLS SNI Test Site: *.sni.velox.ch > > 945 kBps > 00m00s

TLS SNI Test Site: *.sni.velox.ch

>=20 >=20 >

Great! Your client [fetch libfetch/2.0] > sent the following TLS server name indication extension > (RFC 6066) > in its ClientHello (negotiated protocol: TLSv1.2, cipher suite= : ECDHE-RSA-AES256-GCM-SHA384):

> 
  sni.velox.ch
>

In your request, this header was included:

> 
  Host: sni.velox.ch
I'm not sure what the plan is for a base CA file, but adding ca_root_nss does allow it to work. --=20 Regards, Bryan Drewery --c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS7QdiAAoJEDXXcbtuRpfPguIH/jvwGQB0H3hUJFx6D0Z6B4rl +OvCrYBvtknyoAJmP0t3TzDjAHFKliGSqAVVf5DgXz2dB/RAqtttHZwxJkL/OA2j AT3Pmc66VBYHspCkAPZEBRMQywkbFqzLkL6S/zwsyyD51L1Ber2maMWqXGJY4RoJ OStjKw+FrfIH5OLj2u8DfAfTb6Tx5hr33kikR/nZVf+ldQoJitN5YVZlpYqA93Ny yYX73OGrS3jA59CGmgYUHCcjkOUXr+dklQpkYVKeaxwMCcGXXo2qMewv0ZJfhTDM kqjOAtLngm8dzXi+GUGE3GEThNQOtjb3hiUB9MRz/JfcxRpLTyazWGYBE/Pa/yo= =zNIT -----END PGP SIGNATURE----- --c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd--