From 3534efe79879daeffe52fbb5eca8955df324a981 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 5 Dec 2025 09:41:03 +0100 Subject: [PATCH] BUG/MINOR: ssl: Don't allow to set NULL sni ssl_sock_set_servername() function was documented to support NULL sni to unset it. However, the man page of SSL_get_servername() does not mentionned it is supported or not. And it is in fact not supported by WolfSSL and leads to a crash if we do so. For now, this function is never called with a NULL sni, so it better and safer to forbid this case. Now, if the sni is NULL, the function does nothing. This patch could be backported to all stable versions. --- src/ssl_sock.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index efcb40b4e..3fe42d3f6 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -7605,8 +7605,7 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l #endif } -/* Sets advertised SNI for outgoing connections. Please set to NULL - * to disable SNI. +/* Sets advertised SNI for outgoing connections. */ void ssl_sock_set_servername(struct connection *conn, const char *hostname) { @@ -7614,7 +7613,7 @@ void ssl_sock_set_servername(struct connection *conn, const char *hostname) struct ssl_sock_ctx *ctx = conn_get_ssl_sock_ctx(conn); char *prev_name; - if (!ctx) + if (!ctx || !hostname) return; BUG_ON(!(conn->flags & CO_FL_WAIT_L6_CONN)); @@ -7629,9 +7628,7 @@ void ssl_sock_set_servername(struct connection *conn, const char *hostname) */ prev_name = (char *)SSL_get_servername(ctx->ssl, TLSEXT_NAMETYPE_host_name); - if ((!prev_name && hostname) || - !hostname || - strcmp(hostname, prev_name) != 0) { + if (!prev_name || strcmp(hostname, prev_name) != 0) { SSL_set_session(ctx->ssl, NULL); SSL_set_tlsext_host_name(ctx->ssl, hostname); }