On Tue, Feb 26, 2013 at 04:21:10PM +0100, StalkR wrote: > lftp does not support http://en.wikipedia.org/wiki/Server_Name_Indication > GnuTLS and OpenSSL both support it (OpenSSL by default since 0.9.8j). > Test site: https://sni.velox.ch/
This patch should enable SNI in lftp. Thank you for the tip! -- Alexander.
diff --git a/src/lftp_ssl.cc b/src/lftp_ssl.cc index b856499..1525985 100644 --- a/src/lftp_ssl.cc +++ b/src/lftp_ssl.cc @@ -274,6 +274,11 @@ lftp_ssl_gnutls::lftp_ssl_gnutls(int fd1,handshake_mode_t m,const char *h) const char *auth=ResMgr::Query("ftp:ssl-auth", hostname); if(auth && !strncmp(auth, "SSL", 3)) gnutls_priority_set_direct(session, "NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0); + + if(h && ResMgr::QueryBool("ssl:use-sni",h)) { + if(gnutls_server_name_set(session, GNUTLS_NAME_DNS, h, xstrlen(h)) < 0) + fprintf(stderr,"WARNING: failed to configure server name indication (SNI) TLS extension\n"); + } } void lftp_ssl_gnutls::load_keys() { @@ -825,6 +830,11 @@ lftp_ssl_openssl::lftp_ssl_openssl(int fd1,handshake_mode_t m,const char *h) ssl=SSL_new(instance->ssl_ctx); SSL_set_fd(ssl,fd); SSL_ctrl(ssl,SSL_CTRL_MODE,SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,0); + + if(h && ResMgr::QueryBool("ssl:use-sni",h)) { + if(!SSL_set_tlsext_host_name(ssl, h)) + fprintf(stderr,"WARNING: failed to configure server name indication (SNI) TLS extension\n"); + } } void lftp_ssl_openssl::load_keys() { diff --git a/src/resource.cc b/src/resource.cc index 06d1d9c..80a38c8 100644 --- a/src/resource.cc +++ b/src/resource.cc @@ -355,6 +355,7 @@ static ResType lftp_vars[] = { {"ssl:cert-file", "", ResMgr::FileReadable,0}, {"ssl:check-hostname", "yes", ResMgr::BoolValidate,0}, {"ssl:verify-certificate", "yes", ResMgr::BoolValidate,0}, + {"ssl:use-sni", "yes", ResMgr::BoolValidate,0}, # if USE_OPENSSL {"ssl:ca-path", "", ResMgr::DirReadable,ResMgr::NoClosure}, {"ssl:crl-path", "", ResMgr::DirReadable,ResMgr::NoClosure},
_______________________________________________ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp