diff options
author | Matt Caswell <matt@openssl.org> | 2017-11-14 13:43:42 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-11-21 17:46:22 +0000 |
commit | b510b740fb4e3cb35e6f297c232c0e776dbcbc71 (patch) | |
tree | 9a09541f64b2eb719a1a08f9f5b5018e1db18749 | |
parent | 665d899fa6d3571da016925067ebcf1789d7d19c (diff) |
Ignore the session when setting SNI in s_client
As per this comment:
https://github.com/openssl/openssl/issues/4496#issuecomment-337767145
Since the server is entitled to reject our session our ClientHello
should include everything that we would want if a full handshake were
to happen. Therefore we shouldn't use the session as a source of
information for setting SNI.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)
-rw-r--r-- | apps/s_client.c | 11 | ||||
-rw-r--r-- | test/recipes/70-test_sslmessages.t | 3 | ||||
-rw-r--r-- | test/recipes/70-test_tls13messages.t | 6 |
3 files changed, 3 insertions, 17 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index 7c0639faad..fcab44cb56 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1923,18 +1923,7 @@ int s_client_main(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - /* By default the SNI should be the same as was set in the session */ - if (!noservername && servername == NULL) { - servername = SSL_SESSION_get0_hostname(sess); - if (servername == NULL) { - /* - * Force no SNI to be sent so we are consistent with the - * session. - */ - noservername = 1; - } - } SSL_SESSION_free(sess); } diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t index 5ddf384fe2..e3eadfa107 100644 --- a/test/recipes/70-test_sslmessages.t +++ b/test/recipes/70-test_sslmessages.t @@ -164,8 +164,7 @@ $proxy->clientflags("-no_tls1_3 -sess_in ".$session); $proxy->clientstart(); checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, checkhandshake::DEFAULT_EXTENSIONS - & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION - & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, + & ~checkhandshake::SESSION_TICKET_SRV_EXTENSION, "Resumption handshake test"); unlink $session; diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index 239eabfd5e..aaecbd3cca 100644 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -167,8 +167,7 @@ $proxy->clientstart(); checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, (checkhandshake::DEFAULT_EXTENSIONS | checkhandshake::PSK_CLI_EXTENSION - | checkhandshake::PSK_SRV_EXTENSION) - & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, + | checkhandshake::PSK_SRV_EXTENSION), "Resumption handshake test"); #Test 3: A status_request handshake (client request only) @@ -312,8 +311,7 @@ checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, (checkhandshake::DEFAULT_EXTENSIONS | checkhandshake::KEY_SHARE_HRR_EXTENSION | checkhandshake::PSK_CLI_EXTENSION - | checkhandshake::PSK_SRV_EXTENSION) - & ~checkhandshake::SERVER_NAME_CLI_EXTENSION, + | checkhandshake::PSK_SRV_EXTENSION), "Resumption handshake with HRR test"); #Test 16: Acceptable but non preferred key_share |