mirror of
http://git.haproxy.org/git/haproxy.git
synced 2026-02-10 12:32:49 +02:00
96c7b8dbd2
This patch fixes the commit2ab8867("MINOR: ssl: compare server certificate names to the SNI on outgoing connections") When we check the certificate sent by a server, in the verify callback, we get the SNI from the session (SSL_SESSION object). In OpenSSL, tlsext_hostname value for this session is copied from the ssl connection (SSL object). But the copy is done only if the "server_name" extension is found in the server hello message. This means the server has found a certificate matching the client's SNI. When the server returns a default certificate not matching the client's SNI, it doesn't set any "server_name" extension in the server hello message. So no SNI is set on the SSL session and SSL_SESSION_get0_hostname always returns NULL. To fix the problemn, we get the SNI directly from the SSL connection. It is always defined with the value set by the client. If the commit2ab8867is backported in 1.7 and/or 1.6, this one must be backported too. Note: it's worth mentionning that by making the SNI check work, we introduce another problem by which failed SNI checks can cause long connection retries on the server, and in certain cases the SNI value used comes from the client. So this patch series must not be backported until this issue is resolved.