The code in ssl/t1_lib.c has a line missing which means that the loop which processes the server name extension will fail if more than one server name is present.This causes the connection to fail (not just the extension to be ignored).What happens is that the code updates the remaining bytes count (dsize) and read pointer (sdata) as it processes the server name type and length fields, BUT only updates the byte count when it handles the server name. This means that, if more than one server name is present, the second iteration of the loop attempts to decode the first three bytes of the first server name as the type and length of the second name. This will fail and cause the connection to be rejected.The fix is trivial - just Add "sdata += len" to the end of the loop (see attached patch).This has been been reproduced, and the fix verified using the latest CVS sources as of now (7 Jan 2008).Unfortunately it can not be verified using the openssl client as its API does not allow multiple server names to be specified. It can be, and has been, verified using a gnutls client.CheersMark Phillips
openssl-multiple-server-names.patch
Description: Binary data
