Package: fossil Version: 1:2.8-1 Severity: normal Dear Maintainer,
It seems fossil 2.8 is also affected by [1] and I think it should be updated as well. The following patch might work as a starting point, but I haven't tested anything beside it reporting an error when the host name doesn't match. It is an adaption of the patch at [1]. Best, Martin [1]: https://fossil-scm.org/home/info/aaab2a15d1dfc22f --- fossil-2.8.orig/src/http_ssl.c +++ fossil-2.8/src/http_ssl.c @@ -236,6 +236,7 @@ static int establish_proxy_tunnel(UrlDat */ int ssl_open(UrlData *pUrlData){ X509 *cert; + const char *zRemoteHost; int hasSavedCertificate = 0; int trusted = 0; unsigned long e; @@ -273,8 +274,10 @@ int ssl_open(UrlData *pUrlData){ iBio = BIO_new_ssl(sslCtx, 1); BIO_push(iBio, sBio); + zRemoteHost = pUrlData->hostname; }else{ iBio = BIO_new_ssl_connect(sslCtx); + zRemoteHost = pUrlData->name; } if( iBio==NULL ) { ssl_set_errmsg("SSL: cannot open SSL (%s)", @@ -284,13 +287,20 @@ int ssl_open(UrlData *pUrlData){ BIO_get_ssl(iBio, &ssl); #if (SSLEAY_VERSION_NUMBER >= 0x00908070) && !defined(OPENSSL_NO_TLSEXT) - if( !SSL_set_tlsext_host_name(ssl, (pUrlData->useProxy?pUrlData->hostname:pUrlData->name)) ){ + if( !SSL_set_tlsext_host_name(ssl, zRemoteHost) ){ fossil_warning("WARNING: failed to set server name indication (SNI), " "continuing without it.\n"); } #endif SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); +#if OPENSSL_VERSION_NUMBER >= 0x010002000 + X509_VERIFY_PARAM *param = 0; + param = SSL_get0_param(ssl); + if( !X509_VERIFY_PARAM_set1_host(param, zRemoteHost, strlen(zRemoteHost)) ){ + fossil_fatal("failed to set hostname"); + } +#endif if( !pUrlData->useProxy ){ char *connStr = mprintf("%s:%d", pUrlData->name, pUrlData->port);
