Re: [lftp] TLS SNI (Server Name Indication) support

Tue, 26 Feb 2013 20:52:11 -0800 

On Tue, Feb 26, 2013 at 04:21:10PM +0100, StalkR wrote:
> lftp does not support http://en.wikipedia.org/wiki/Server_Name_Indication
> GnuTLS and OpenSSL both support it (OpenSSL by default since 0.9.8j).
> Test site: https://sni.velox.ch/

This patch should enable SNI in lftp. Thank you for the tip!

-- 
   Alexander.

diff --git a/src/lftp_ssl.cc b/src/lftp_ssl.cc
index b856499..1525985 100644
--- a/src/lftp_ssl.cc
+++ b/src/lftp_ssl.cc
@@ -274,6 +274,11 @@ lftp_ssl_gnutls::lftp_ssl_gnutls(int fd1,handshake_mode_t 
m,const char *h)
    const char *auth=ResMgr::Query("ftp:ssl-auth", hostname);
    if(auth && !strncmp(auth, "SSL", 3))
       gnutls_priority_set_direct(session, 
"NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0);
+
+   if(h && ResMgr::QueryBool("ssl:use-sni",h)) {
+      if(gnutls_server_name_set(session, GNUTLS_NAME_DNS, h, xstrlen(h)) < 0)
+        fprintf(stderr,"WARNING: failed to configure server name indication 
(SNI) TLS extension\n");
+   }
 }
 void lftp_ssl_gnutls::load_keys()
 {
@@ -825,6 +830,11 @@ lftp_ssl_openssl::lftp_ssl_openssl(int 
fd1,handshake_mode_t m,const char *h)
    ssl=SSL_new(instance->ssl_ctx);
    SSL_set_fd(ssl,fd);
    SSL_ctrl(ssl,SSL_CTRL_MODE,SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,0);
+
+   if(h && ResMgr::QueryBool("ssl:use-sni",h)) {
+      if(!SSL_set_tlsext_host_name(ssl, h))
+        fprintf(stderr,"WARNING: failed to configure server name indication 
(SNI) TLS extension\n");
+   }
 }
 void lftp_ssl_openssl::load_keys()
 {
diff --git a/src/resource.cc b/src/resource.cc
index 06d1d9c..80a38c8 100644
--- a/src/resource.cc
+++ b/src/resource.cc
@@ -355,6 +355,7 @@ static ResType lftp_vars[] = {
    {"ssl:cert-file",            "",      ResMgr::FileReadable,0},
    {"ssl:check-hostname",       "yes",   ResMgr::BoolValidate,0},
    {"ssl:verify-certificate",   "yes",   ResMgr::BoolValidate,0},
+   {"ssl:use-sni",              "yes",   ResMgr::BoolValidate,0},
 # if USE_OPENSSL
    {"ssl:ca-path",              "",      
ResMgr::DirReadable,ResMgr::NoClosure},
    {"ssl:crl-path",             "",      
ResMgr::DirReadable,ResMgr::NoClosure},

_______________________________________________
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp

Reply via email to