[hackers] [PATCH] (SSL PATCH PATCH) Add SNI support to SSL branch with SSL_set_tlsext_host_name

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Spenser Truex <truex_AT_equwal.com>
Date: Mon, 8 Sep 2025 11:54:43 -0700

This one line change to the patch tells the server what domain is being
used to connect via TLS. That way the TLS server (like
<https://git.causal.agency/pounce/about/calico.1> can route the
connection using the name.

See rfc6066 for the definition and rfc8446 for extensions.

I included both the one line changed and the original one with it
patched on top for distribution on the suckless website.

---
 ii.c | 1 +
 1 file changed, 1 insertion(+)
diff --git a/ii.c b/ii.c
index 8ec009e..253e302 100644
--- a/ii.c
+++ b/ii.c
_AT_@ -444,6 +444,7 @@ tcpopen(conn *ircfd, const char *host, const char *service)
 		ERR_print_errors_fp(stderr);
 	ircfd->sslHandle = SSL_new(ircfd->sslContext);
 	if (!SSL_set_fd(ircfd->sslHandle, ircfd->irc) ||
+	    !SSL_set_tlsext_host_name(ircfd->sslHandle, host) ||
 	    (SSL_connect(ircfd->sslHandle) != 1))
 		ERR_print_errors_fp(stderr);
 }
-- 
2.49.1

Received on Mon Sep 08 2025 - 20:54:43 CEST

This archive was generated by hypermail 2.3.0 : Mon Sep 08 2025 - 21:00:38 CEST