128 lines
3.3 KiB
Diff
128 lines
3.3 KiB
Diff
--- src/host.c
|
|
+++ src/host.c
|
|
@@ -914,3 +914,19 @@ host_cleanup (void)
|
|
host_name_addresses_map = NULL;
|
|
}
|
|
}
|
|
+
|
|
+/* Determine whether or not a hostname is an IP address that we recognise. */
|
|
+bool
|
|
+is_ip_address (const char *name)
|
|
+{
|
|
+ const char *endp;
|
|
+
|
|
+ endp = name + strlen(name);
|
|
+ if (is_valid_ipv4_address(name, endp))
|
|
+ return true;
|
|
+#ifdef ENABLE_IPV6
|
|
+ if (is_valid_ipv6_address(name, endp))
|
|
+ return true;
|
|
+#endif
|
|
+ return false;
|
|
+}
|
|
--- src/host.h
|
|
+++ src/host.h
|
|
@@ -102,5 +102,5 @@ bool accept_domain (struct url *);
|
|
bool sufmatch (const char **, const char *);
|
|
|
|
void host_cleanup (void);
|
|
-
|
|
+bool is_ip_address(const char *);
|
|
#endif /* HOST_H */
|
|
--- src/http.c
|
|
+++ src/http.c
|
|
@@ -1909,7 +1909,7 @@ gethttp (struct url *u, struct http_stat
|
|
|
|
if (conn->scheme == SCHEME_HTTPS)
|
|
{
|
|
- if (!ssl_connect_wget (sock))
|
|
+ if (!ssl_connect_wget (sock, u->host))
|
|
{
|
|
fd_close (sock);
|
|
return CONSSLERR;
|
|
--- src/openssl.c
|
|
+++ src/openssl.c
|
|
@@ -40,12 +40,12 @@ as that of the covered work. */
|
|
#include <openssl/x509v3.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/rand.h>
|
|
-
|
|
+#include <openssl/engine.h>
|
|
#include "utils.h"
|
|
#include "connect.h"
|
|
#include "url.h"
|
|
#include "ssl.h"
|
|
-
|
|
+#include "host.h"
|
|
#ifdef WINDOWS
|
|
# include <w32sock.h>
|
|
#endif
|
|
@@ -175,11 +175,15 @@ ssl_init ()
|
|
_("Could not seed PRNG; consider using --random-file.\n"));
|
|
goto error;
|
|
}
|
|
-
|
|
+ OPENSSL_config(NULL);
|
|
SSL_library_init ();
|
|
SSL_load_error_strings ();
|
|
SSLeay_add_all_algorithms ();
|
|
SSLeay_add_ssl_algorithms ();
|
|
+ /* Load all bundled ENGINEs into memory and make them visible */
|
|
+ ENGINE_load_builtin_engines();
|
|
+ /* Register all of them for every algorithm they collectively implement */
|
|
+ ENGINE_register_all_complete();
|
|
|
|
switch (opt.secure_protocol)
|
|
{
|
|
@@ -239,7 +243,10 @@ ssl_init ()
|
|
/* The OpenSSL library can handle renegotiations automatically, so
|
|
tell it to do so. */
|
|
SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY);
|
|
-
|
|
+#ifdef SSL_MODE_RELEASE_BUFFERS
|
|
+ /* Keep memory usage as low as possible */
|
|
+ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
|
+#endif
|
|
return true;
|
|
|
|
error:
|
|
@@ -393,7 +400,7 @@ static struct transport_implementation o
|
|
Returns true on success, false on failure. */
|
|
|
|
bool
|
|
-ssl_connect_wget (int fd)
|
|
+ssl_connect_wget (int fd, const char *hostname)
|
|
{
|
|
SSL *conn;
|
|
struct openssl_transport_context *ctx;
|
|
@@ -404,6 +411,18 @@ ssl_connect_wget (int fd)
|
|
conn = SSL_new (ssl_ctx);
|
|
if (!conn)
|
|
goto error;
|
|
+
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
|
|
+ /* If the SSL library was build with support for ServerNameIndication
|
|
+ then use it whenever we have a hostname. If not, don't, ever. */
|
|
+ if (!is_ip_address(hostname))
|
|
+ {
|
|
+ if (!SSL_set_tlsext_host_name(conn, hostname)) {
|
|
+ DEBUGP (("Failed to set TLS server-name indication."));
|
|
+ goto error;
|
|
+ }
|
|
+ }
|
|
+#endif
|
|
#ifndef FD_TO_SOCKET
|
|
# define FD_TO_SOCKET(X) (X)
|
|
#endif
|
|
--- src/ssl.h
|
|
+++ src/ssl.h
|
|
@@ -33,7 +33,7 @@ as that of the covered work. */
|
|
#define GEN_SSLFUNC_H
|
|
|
|
bool ssl_init (void);
|
|
-bool ssl_connect_wget (int);
|
|
+bool ssl_connect_wget (int, const char *);
|
|
bool ssl_check_certificate (int, const char *);
|
|
|
|
#endif /* GEN_SSLFUNC_H */
|