diff options
author | semarie <semarie@openbsd.org> | 2020-06-09 06:35:17 +0000 |
---|---|---|
committer | semarie <semarie@openbsd.org> | 2020-06-09 06:35:17 +0000 |
commit | da8a8f6ba7e553981358febca641adb44835bdba (patch) | |
tree | bd712ec1f66cde2c61c747f8afb953b71bea2a5a /usr.sbin/smtpd | |
parent | reduce the diff to linux (diff) | |
download | wireguard-openbsd-da8a8f6ba7e553981358febca641adb44835bdba.tar.xz wireguard-openbsd-da8a8f6ba7e553981358febca641adb44835bdba.zip |
set TLS SNI when relaying to host
ok beck@
"looks reasonable" millert@
Diffstat (limited to 'usr.sbin/smtpd')
-rw-r--r-- | usr.sbin/smtpd/mta_session.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c index d384692a0e4..f6ae6337b9b 100644 --- a/usr.sbin/smtpd/mta_session.c +++ b/usr.sbin/smtpd/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.136 2020/05/21 15:38:05 millert Exp $ */ +/* $OpenBSD: mta_session.c,v 1.137 2020/06/09 06:35:17 semarie Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -26,6 +26,7 @@ #include <sys/stat.h> #include <sys/uio.h> +#include <arpa/inet.h> #include <ctype.h> #include <err.h> #include <errno.h> @@ -1604,6 +1605,10 @@ mta_cert_init_cb(void *arg, int status, const char *name, const void *cert, struct mta_session *s = arg; void *ssl; char *xname = NULL, *xcert = NULL; + union { + struct in_addr in4; + struct in6_addr in6; + } addrbuf; if (s->flags & MTA_WAIT) mta_tree_pop(&wait_tls_init, s->id); @@ -1623,6 +1628,22 @@ mta_cert_init_cb(void *arg, int status, const char *name, const void *cert, free(xcert); if (ssl == NULL) fatal("mta: ssl_mta_init"); + + /* + * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not + * permitted in "HostName". + */ + if (s->relay->domain->as_host == 1) { + if (inet_pton(AF_INET, s->relay->domain->name, &addrbuf) != 1 && + inet_pton(AF_INET6, s->relay->domain->name, &addrbuf) != 1) { + log_debug("%016"PRIx64" mta tls setting SNI name=%s", + s->id, s->relay->domain->name); + if (SSL_set_tlsext_host_name(ssl, s->relay->domain->name) == 0) + log_warnx("%016"PRIx64" mta tls setting SNI failed", + s->id); + } + } + io_start_tls(s->io, ssl); } |