Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 01 Feb 2014 08:40:33 -0600
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        Thomas Steen Rasmussen <thomas@gibfest.dk>, Sofian Brabez <sbz@FreeBSD.org>, freebsd-hackers@FreeBSD.org
Cc:        =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@FreeBSD.org>
Subject:   Re: [patch] TLS Server Name Indication (SNI) support for fetch(1)
Message-ID:  <52ED0761.5000301@FreeBSD.org>
In-Reply-To: <52BECBE8.8080906@gibfest.dk>
References:  <20130608205653.GA8765@ogoshi.int.nbs-system.com> <52BECBE8.8080906@gibfest.dk>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 12/28/2013 7:02 AM, Thomas Steen Rasmussen wrote:
> On 08-06-2013 22:56, Sofian Brabez wrote:
>> Hi,
>>
>> fetch(1) currently does not support TLS extension Server Name
>> Indication (RFC
>> 6066) [1] when dealing with SSL. Nowadays lot of clients and servers
>> implement
>> this extension.
> Hello!
>=20
> fetch(1) is still missing SNI support as of r259440 - any chance of
> seeing this patch committed ?
> As ipv4 depletion gets worse we will see SSL websites using SNI more an=
d
> more. This is overdue.
>=20
> Thanks, and may you all have a wonderful new year!
>=20
> /Thomas Steen Rasmussen


This was added in head r258347 Nov 19 2013:
http://svnweb.freebsd.org/changeset/base/258347

It made it to stable/10 before 10.0 and into stable/9.

It works if you install ca_root_nss cert.pem:

> # pkg install ca_root_nss
> ...
> # ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
> ...
> # fetch -v -o - https://sni.velox.ch|head -n 15
> looking up sni.velox.ch
> connecting to sni.velox.ch:443
> SSL options: 81004bff
> Peer verification enabled
> Using CA cert file: /etc/ssl/cert.pem
> Verify hostname
> SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
> Certificate subject: /C=3DCH/ST=3DZuerich/L=3DZuerich/O=3DKaspar Brand/=
CN=3D*.sni.velox.ch
> Certificate issuer: /C=3DBM/O=3DQuoVadis Limited/OU=3Dwww.quovadisgloba=
l.com/CN=3DQuoVadis Global SSL ICA
> requesting https://sni.velox.ch/
> -                                             <!DOCTYPE html PUBLIC "-/=
/W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xh=
tml1-transitional.dtd">
> <html>
> <head>
>         5063  B<title>TLS SNI Test Site: *.sni.velox.ch</title>
> </head>
>   945 kBps<body>
>  00m00s<h2>TLS SNI Test Site: *.sni.velox.ch</h2>
>=20
>=20
> <p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong>
> sent the following TLS server name indication extension
> (<a href=3D"http://www.rfc-editor.org/rfc/rfc6066.txt">RFC 6066</a>)
> in its ClientHello </strong>(negotiated protocol: TLSv1.2, cipher suite=
: ECDHE-RSA-AES256-GCM-SHA384)<strong>:</strong></p>
> <pre>  <strong>sni.velox.ch</strong></pre>
> <p>In your request, this header was included:</p>
> <pre>  Host: sni.velox.ch</pre>


I'm not sure what the plan is for a base CA file, but adding ca_root_nss
does allow it to work.

--=20
Regards,
Bryan Drewery


--c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJS7QdiAAoJEDXXcbtuRpfPguIH/jvwGQB0H3hUJFx6D0Z6B4rl
+OvCrYBvtknyoAJmP0t3TzDjAHFKliGSqAVVf5DgXz2dB/RAqtttHZwxJkL/OA2j
AT3Pmc66VBYHspCkAPZEBRMQywkbFqzLkL6S/zwsyyD51L1Ber2maMWqXGJY4RoJ
OStjKw+FrfIH5OLj2u8DfAfTb6Tx5hr33kikR/nZVf+ldQoJitN5YVZlpYqA93Ny
yYX73OGrS3jA59CGmgYUHCcjkOUXr+dklQpkYVKeaxwMCcGXXo2qMewv0ZJfhTDM
kqjOAtLngm8dzXi+GUGE3GEThNQOtjb3hiUB9MRz/JfcxRpLTyazWGYBE/Pa/yo=
=zNIT
-----END PGP SIGNATURE-----

--c0sJvnpKK0aeKNGUhGC8CcsWfU3H3fHrd--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52ED0761.5000301>