From nobody@FreeBSD.org  Sat Nov  2 04:59:54 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTP id 5206DAF1
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  2 Nov 2013 04:59:54 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 3F2372075
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  2 Nov 2013 04:59:54 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id rA24xrEF067482
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 2 Nov 2013 04:59:53 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id rA24xr63067481;
	Sat, 2 Nov 2013 04:59:53 GMT
	(envelope-from nobody)
Message-Id: <201311020459.rA24xr63067481@oldred.freebsd.org>
Date: Sat, 2 Nov 2013 04:59:53 GMT
From: Michael Gmelin <freebsd@grem.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] Support SNI in libfetch
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         183583
>Category:       kern
>Synopsis:       [patch] Support SNI in libfetch
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 02 05:10:00 UTC 2013
>Closed-Date:    Tue Nov 19 09:35:46 CST 2013
>Last-Modified:  Mon Dec  2 11:00:00 UTC 2013
>Originator:     Michael Gmelin
>Release:        10.0-BETA2
>Organization:
Grem Equity GmbH
>Environment:
FreeBSD srv15 10.0-BETA2 FreeBSD 10.0-BETA2 #0: Mon Oct 28 20:44:29 UTC 2013     root@:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
sbz@freebsd.org created and submitted a patch earlier this year [1] that made libfetch support SNI (server name indication) [2]. It seems like this overlapped with my more complex submission earlier this year and somehow got lost.

I made the patch work with the current version of libfetch, should work in 10 as well as in 9. It's extremely trivial and auditing should be a matter of seconds.
 
[1] http://en.wikipedia.org/wiki/Server_Name_Indication
[2] http://lists.freebsd.org/pipermail/freebsd-hackers/2013-June/042938.html

>How-To-Repeat:
Try fetching https://sni.velo.ch before and after the patch, observe the difference.

fetch https://sni.velo.ch
(see the original patch listed above [2] for a more detailed explanation and procedure).


>Fix:
Apply the attached patch.

cd /usr/src
patch </path/to/libfetch_sni.patch.txt

Patch attached with submission follows:

Index: lib/libfetch/common.c
===================================================================
--- lib/libfetch/common.c	(revision 257540)
+++ lib/libfetch/common.c	(working copy)
@@ -829,6 +829,15 @@
 		return (-1);
 	}
 	SSL_set_fd(conn->ssl, conn->sd);
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+	if (!SSL_set_tlsext_host_name(conn->ssl, URL->host)) {
+		fprintf(stderr,
+		    "TLS server name indication extension failed for host %s\n",
+		    URL->host);
+		return (-1);
+	}
+#endif
 	while ((ret = SSL_connect(conn->ssl)) == -1) {
 		ssl_err = SSL_get_error(conn->ssl, ret);
 		if (ssl_err != SSL_ERROR_WANT_READ &&


>Release-Note:
>Audit-Trail:

From: Michael Gmelin <freebsd@grem.de>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/183583: [patch] Support SNI in libfetch
Date: Sat, 2 Nov 2013 06:22:47 +0100

 The test URL is https://sni.velox.ch
 (no bicycles involved)
 
 -- 
 Michael Gmelin
Responsible-Changed-From-To: freebsd-bugs->bdrewery 
Responsible-Changed-By: bdrewery 
Responsible-Changed-When: Sat Nov 2 07:27:16 CDT 2013 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=183583 
Responsible-Changed-From-To: bdrewery->des 
Responsible-Changed-By: sbz 
Responsible-Changed-When: Sat Nov 2 13:11:13 UTC 2013 
Responsible-Changed-Why:  
des@ is already aware of my patch and the good person to handle it 

http://www.freebsd.org/cgi/query-pr.cgi?pr=183583 
State-Changed-From-To: open->closed 
State-Changed-By: bdrewery 
State-Changed-When: Tue Nov 19 09:35:45 CST 2013 
State-Changed-Why:  
Committed in r258347. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=183583 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/183583: commit references a PR
Date: Tue, 19 Nov 2013 15:35:33 +0000 (UTC)

 Author: bdrewery (ports committer)
 Date: Tue Nov 19 15:35:26 2013
 New Revision: 258347
 URL: http://svnweb.freebsd.org/changeset/base/258347
 
 Log:
   Support SNI in libfetch
   
   SNI is Server Name Indentification which is a protocol for TLS that
   indicates the host that is being connected to at the start of the
   handshake. It allows to use Virtual Hosts on HTTPS.
   
   Submitted by:	sbz
   Submitted by:	Michael Gmelin <freebsd@grem.de> [1]
   PR:		kern/183583 [1]
   Reviewed by:	des
   Approved by:	bapt
   MFC after:	1 week
 
 Modified:
   head/lib/libfetch/common.c
 
 Modified: head/lib/libfetch/common.c
 ==============================================================================
 --- head/lib/libfetch/common.c	Tue Nov 19 14:24:25 2013	(r258346)
 +++ head/lib/libfetch/common.c	Tue Nov 19 15:35:26 2013	(r258347)
 @@ -829,6 +829,15 @@ fetch_ssl(conn_t *conn, const struct url
  		return (-1);
  	}
  	SSL_set_fd(conn->ssl, conn->sd);
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
 +	if (!SSL_set_tlsext_host_name(conn->ssl, URL->host)) {
 +		fprintf(stderr,
 +		    "TLS server name indication extension failed for host %s\n",
 +		    URL->host);
 +		return (-1);
 +	}
 +#endif
  	while ((ret = SSL_connect(conn->ssl)) == -1) {
  		ssl_err = SSL_get_error(conn->ssl, ret);
  		if (ssl_err != SSL_ERROR_WANT_READ &&
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/183583: commit references a PR
Date: Fri, 29 Nov 2013 21:13:43 +0000 (UTC)

 Author: bdrewery (ports committer)
 Date: Fri Nov 29 21:13:30 2013
 New Revision: 258756
 URL: http://svnweb.freebsd.org/changeset/base/258756
 
 Log:
   MFC r258347,r258349:
   
     Support SNI in libfetch
   
     SNI is Server Name Indentification which is a protocol for TLS that
     indicates the host that is being connected to at the start of the
     handshake. It allows to use Virtual Hosts on HTTPS.
   
   PR:		kern/183583
   Approved by:	bapt (implicit)
   Approved by:	re (gjb)
 
 Modified:
   stable/10/lib/libfetch/common.c
 Directory Properties:
   stable/10/lib/libfetch/   (props changed)
 
 Modified: stable/10/lib/libfetch/common.c
 ==============================================================================
 --- stable/10/lib/libfetch/common.c	Fri Nov 29 21:12:35 2013	(r258755)
 +++ stable/10/lib/libfetch/common.c	Fri Nov 29 21:13:30 2013	(r258756)
 @@ -829,6 +829,16 @@ fetch_ssl(conn_t *conn, const struct url
  		return (-1);
  	}
  	SSL_set_fd(conn->ssl, conn->sd);
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
 +	if (!SSL_set_tlsext_host_name(conn->ssl,
 +	    __DECONST(struct url *, URL)->host)) {
 +		fprintf(stderr,
 +		    "TLS server name indication extension failed for host %s\n",
 +		    URL->host);
 +		return (-1);
 +	}
 +#endif
  	while ((ret = SSL_connect(conn->ssl)) == -1) {
  		ssl_err = SSL_get_error(conn->ssl, ret);
  		if (ssl_err != SSL_ERROR_WANT_READ &&
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/183583: commit references a PR
Date: Mon,  2 Dec 2013 10:59:50 +0000 (UTC)

 Author: bdrewery (ports committer)
 Date: Mon Dec  2 10:59:41 2013
 New Revision: 258844
 URL: http://svnweb.freebsd.org/changeset/base/258844
 
 Log:
   MFC r258347,r258349:
   
     Support SNI in libfetch
   
     SNI is Server Name Indentification which is a protocol for TLS that
     indicates the host that is being connected to at the start of the
     handshake. It allows to use Virtual Hosts on HTTPS.
   
   PR:		kern/183583
   Approved by:	bapt (implicit)
 
 Modified:
   stable/9/lib/libfetch/common.c
 Directory Properties:
   stable/9/lib/libfetch/   (props changed)
 
 Modified: stable/9/lib/libfetch/common.c
 ==============================================================================
 --- stable/9/lib/libfetch/common.c	Mon Dec  2 10:18:25 2013	(r258843)
 +++ stable/9/lib/libfetch/common.c	Mon Dec  2 10:59:41 2013	(r258844)
 @@ -829,6 +829,16 @@ fetch_ssl(conn_t *conn, const struct url
  		return (-1);
  	}
  	SSL_set_fd(conn->ssl, conn->sd);
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
 +	if (!SSL_set_tlsext_host_name(conn->ssl,
 +	    __DECONST(struct url *, URL)->host)) {
 +		fprintf(stderr,
 +		    "TLS server name indication extension failed for host %s\n",
 +		    URL->host);
 +		return (-1);
 +	}
 +#endif
  	while ((ret = SSL_connect(conn->ssl)) == -1) {
  		ssl_err = SSL_get_error(conn->ssl, ret);
  		if (ssl_err != SSL_ERROR_WANT_READ &&
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
