diff -Nur /home/cnk/src/dillo-3.0.5/dpi/https.c dillo-3.0.5/dpi/https.c --- /home/cnk/src/dillo-3.0.5/dpi/https.c 2015-07-01 00:06:08.000000000 +1000 +++ dillo-3.0.5/dpi/https.c 2023-12-11 21:03:56.000000000 +1100 @@ -1,7 +1,7 @@ /* * Dpi for HTTPS. * - * + * Modified for SNI support by CNK. 2023-12-09 * * W A R N I N G * @@ -86,7 +86,7 @@ #endif - +char servername[1024]; /*---------------------------------------------------------------------------*/ /* @@ -162,7 +162,7 @@ */ if (exit_error == 0){ SSL_CTX_set_options(ssl_context, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); + SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); } /*Set directory to load certificates from*/ @@ -296,6 +296,14 @@ } if (exit_error == 0){ + /* Configure SSL to use the servername */ + if(SSL_set_tlsext_host_name(ssl_connection, servername) == 0) { + MSG("Error setting servername to SSL\n"); + exit_error = 1; + } + } + + if (exit_error == 0){ /*Actually do SSL connection handshake*/ if (SSL_connect(ssl_connection) != 1){ MSG("SSL_connect failed\n"); @@ -397,6 +405,10 @@ } root_url = dStrdup(url_look_up); + + memset(servername, 0, sizeof(servername)); + strncpy(servername, root_url, sizeof(servername) - 1); + hp=gethostbyname(url_look_up); /*url_look_uip no longer needed, so free if necessary*/ @@ -476,6 +488,12 @@ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: /*Either self signed and untrusted*/ /*Extract CN from certificate name information*/ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + /* + * 'name' field has been removed in openssl-1.1.0 and newer + */ + strcpy(buf, "('name' field removed)"); +#else if ((cn = strstr(remote_cert->name, "/CN=")) == NULL) { strcpy(buf, "(no CN given)"); } else { @@ -489,6 +507,7 @@ strncpy(buf, cn, (size_t) (cn_end - cn)); buf[cn_end - cn] = '\0'; } +#endif msg = dStrconcat("The remote certificate is self-signed and " "untrusted.\nFor address: ", buf, NULL); d_cmd = a_Dpip_build_cmd(