From 3441c288be67c79c960e8386668731e55db60f0c Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Tue, 22 Mar 2011 10:54:46 +0100 Subject: SSL: send SNI extension only if not connecting to an IP otherwise the host name and the name we send in the SNI header (the IP) would not match. Reviewed-by: Thiago Macieira Reviewed-by: Richard J. Moore Task-number: QTBUG-18258 --- src/network/ssl/qsslsocket_openssl.cpp | 3 ++- tests/auto/qsslsocket/tst_qsslsocket.cpp | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index c1b1712..d6967fe 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -418,7 +418,8 @@ init_context: if (tlsHostName.isEmpty()) tlsHostName = hostName; QByteArray ace = QUrl::toAce(tlsHostName); - if (!ace.isEmpty()) { + // only send the SNI header if the URL is valid and not an IP + if (!ace.isEmpty() && !QHostAddress().setAddress(tlsHostName)) { if (!q_SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, ace.constData())) qWarning("could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled"); } diff --git a/tests/auto/qsslsocket/tst_qsslsocket.cpp b/tests/auto/qsslsocket/tst_qsslsocket.cpp index ef5833ef..472be69 100644 --- a/tests/auto/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/qsslsocket/tst_qsslsocket.cpp @@ -918,13 +918,15 @@ void tst_QSslSocket::protocolServerSide_data() QTest::newRow("ssl3-tls1") << QSsl::SslV3 << QSsl::TlsV1 << false; QTest::newRow("ssl3-tls1ssl3") << QSsl::SslV3 << QSsl::TlsV1SslV3 << true; QTest::newRow("ssl3-secure") << QSsl::SslV3 << QSsl::SecureProtocols << true; - QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << true; + QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << false; // we wont set a SNI header here because we connect to a + // numerical IP, so OpenSSL will send a SSL 2 handshake QTest::newRow("tls1-ssl2") << QSsl::TlsV1 << QSsl::SslV2 << false; QTest::newRow("tls1-ssl3") << QSsl::TlsV1 << QSsl::SslV3 << false; QTest::newRow("tls1-tls1ssl3") << QSsl::TlsV1 << QSsl::TlsV1SslV3 << true; QTest::newRow("tls1-secure") << QSsl::TlsV1 << QSsl::SecureProtocols << true; - QTest::newRow("tls1-any") << QSsl::TlsV1 << QSsl::AnyProtocol << true; + QTest::newRow("tls1-any") << QSsl::TlsV1 << QSsl::AnyProtocol << false; // we wont set a SNI header here because we connect to a + // numerical IP, so OpenSSL will send a SSL 2 handshake QTest::newRow("tls1ssl3-ssl2") << QSsl::TlsV1SslV3 << QSsl::SslV2 << false; QTest::newRow("tls1ssl3-ssl3") << QSsl::TlsV1SslV3 << QSsl::SslV3 << true; -- cgit v0.12