cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] support for server name indication (RFC 4366)

From: Guenter Knauf <eflash_at_gmx.net>
Date: Tue, 12 Feb 2008 04:03:58 +0100

Hi all,
we currently on getting support for server name indication (see RFC 4366, "Transport Layer Security (TLS) Extensions") into mod_ssl, and I have commited a patch from Kaspar Brand to trunk:
http://issues.apache.org/bugzilla/show_bug.cgi?id=34607
Meanwhile all modern browsers support SNI, and since OpenSSL 0.9.8f is out we have also a released OpenSSL version which supports SNI (must be enabled with enable-tlsext at compile time). GnuTLS has SNI support since version 0.5.10 (Oct. 2002), and NSS since version 3.11.1 (May 2006).
Therefore we thought that cURL should also support SNI, and Kaspar created a patch:
http://svwe10.itex.at/mirror/curl/source/curl-sni-v1.diff
In order to identify a cURL build which supports the SNI extension I did add few lines to lib/version.c:
http://svwe10.itex.at/mirror/curl/source/version.c.diff
when you have compiled OpenSSL 0.9.8f or later with 'enable-tlsext' and rebuild lubcurl / curl, then in order to test this you can visit one of the test sites mentioned in the ASF bug report, f.e.:
https://sni.velox.ch/
download the root.crt from there, and then use:
curl --cacert root.crt https://sni.velox.ch/ -o out.html
if all works well the out.html should look something like this:

Great! Your client [curl/7.18.1-CVS (i386-pc-win32) libcurl/7.18.1-CVS OpenSSL/0.9.8g zlib/1.2.3] sent the following TLS server name indication extension (RFC 4366) in its ClientHello:

  sni.velox.ch

as you can see I have tested from Win32 platform with OpenSSL which works so far;
others who can test with NSS and GnuTLS are welcome.

The patch is a proposal for further discussion - there are a couple of questions which need to be discussed, and are not yet coded in the patch, f.e:
- should SNI be disabled at configure time (my 2ct: no, it can be automatically detected)
- should SNI feature be switchable at runtime (my 2ct: yes)
- should it be enabled or disabled by default (my 2ct: enabled)
- if we disable SNI at runtime, should it be sparate for SNI only, or just for all TLS extensions?

and finally another question which unfortunately Patrick was not able to answer: what about the AS400 SSL support? We dont know yet if this SSL toolkit supports SNI too...

I may have overseen something because what I post here is the summarize and translation of 4 german mails I did discuss with Kaspar, the author of the patch...

oh, the patch has now a slight fuzz, but applies - my fault because Kaspar sent me the patch already Jan-30, but I didnt find enough time for some testing before now.

Guen.
Received on 2008-02-12