=== modified file 'src/host.c' --- src/host.c.orig +++ src/host.c @@ -904,3 +904,19 @@ host_cleanup (void) host_name_addresses_map = NULL; } } + +/* Determine whether or not a hostname is an IP address that we recognise. */ +bool +is_ip_address (const char *name) +{ + const char *endp; + + endp = name + strlen(name); + if (is_valid_ipv4_address(name, endp)) + return true; +#ifdef ENABLE_IPV6 + if (is_valid_ipv4_address(name, endp)) + return true; +#endif + return false; +} --- src/host.h.orig +++ src/host.h @@ -101,5 +101,5 @@ bool accept_domain (struct url *); bool sufmatch (const char **, const char *); void host_cleanup (void); - +bool is_ip_address(const char *); #endif /* HOST_H */ --- src/http.c.orig +++ src/http.c @@ -1762,7 +1762,7 @@ gethttp (struct url *u, struct http_stat if (conn->scheme == SCHEME_HTTPS) { - if (!ssl_connect_wget (sock)) + if (!ssl_connect_wget (sock, u->host)) { fd_close (sock); return CONSSLERR; --- src/openssl.c.orig +++ src/openssl.c @@ -42,12 +42,12 @@ as that of the covered work. */ #include #include #include - +#include #include "utils.h" #include "connect.h" #include "url.h" #include "ssl.h" - +#include "host.h" /* Application-wide SSL context. This is common to all SSL connections. */ static SSL_CTX *ssl_ctx; @@ -173,11 +173,15 @@ ssl_init () _("Could not seed PRNG; consider using --random-file.\n")); goto error; } - + OPENSSL_config(NULL); SSL_library_init (); SSL_load_error_strings (); SSLeay_add_all_algorithms (); SSLeay_add_ssl_algorithms (); + /* Load all bundled ENGINEs into memory and make them visible */ + ENGINE_load_builtin_engines(); + /* Register all of them for every algorithm they collectively implement */ + ENGINE_register_all_complete(); switch (opt.secure_protocol) { @@ -237,7 +241,10 @@ ssl_init () /* The OpenSSL library can handle renegotiations automatically, so tell it to do so. */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY); - +#ifdef SSL_MODE_RELEASE_BUFFERS + /* Keep memory usage as low as possible */ + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif return true; error: @@ -392,7 +399,7 @@ static struct transport_implementation o Returns true on success, false on failure. */ bool -ssl_connect_wget (int fd) +ssl_connect_wget (int fd, const char *hostname) { SSL *conn; struct openssl_transport_context *ctx; @@ -403,6 +410,18 @@ ssl_connect_wget (int fd) conn = SSL_new (ssl_ctx); if (!conn) goto error; + +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) + /* If the SSL library was build with support for ServerNameIndication + then use it whenever we have a hostname. If not, don't, ever. */ + if (!is_ip_address(hostname)) + { + if (!SSL_set_tlsext_host_name(conn, hostname)) { + DEBUGP (("Failed to set TLS server-name indication.")); + goto error; + } + } +#endif if (!SSL_set_fd (conn, fd)) goto error; SSL_set_connect_state (conn); --- src/ssl.h.orig +++ src/ssl.h @@ -33,7 +33,7 @@ as that of the covered work. */ #define GEN_SSLFUNC_H bool ssl_init (void); -bool ssl_connect_wget (int); +bool ssl_connect_wget (int, const char *); bool ssl_check_certificate (int, const char *); #endif /* GEN_SSLFUNC_H */ --- src/iri.c.orig +++ src/iri.c @@ -114,7 +114,7 @@ check_encoding_name (char *encoding) static bool open_locale_to_utf8 (void) { - + return true; } /* Try converting string str from locale to UTF-8. Return a new string