Hi, fetch(1) currently does not support TLS extension Server Name Indication (RFC 6066) [1] when dealing with SSL. Nowadays lot of clients and servers implement this extension.
Using the TLS SNI Test website sni.velox.ch [2], the test fails in r251550: % fetch -o out https://sni.velox.ch/ && grep 'libfetch' out fetch: https://sni.velox.ch/: size of remote file is not known out 5101 B 134 kBps 00m00s <p><strong>Unfortunately, your client </strong>[fetch libfetch/2.0] <strong> After patching lib/libfetch with my changes: % cd /usr/src/lib/libfetch % patch -p0 < <(fetch -o - http://people.freebsd.org/~sbz/fetch_ssl_sni.diff) And after rebuilding lib/libfetch library and usr.bin/fetch program, the test suceeded: % fetch -o out https://sni.velox.ch/ && grep 'libfetch' out fetch: https://sni.velox.ch/: size of remote file is not known out 5063 B 104 kBps 00m00s <p><strong>Great! Your client </strong>[fetch libfetch/2.0] <strong> Our OpenSSL version 1.0.1c in base support this extension already. s_client too using -servername argument: % openssl version OpenSSL 1.0.1c-freebsd 10 May 2012 % openssl s_client -h 2>&1| grep servername -servername host - Set TLS extension servername in ClientHello % openssl s_client -connect sni.velox.ch:443 -servername sni.velox.ch -tlsextdebug 2>/dev/null|grep 'extension' TLS server extension "server name" (id=0), len=0 TLS server extension "renegotiation info" (id=65281), len=1 TLS server extension "EC point formats" (id=11), len=4 TLS server extension "session ticket" (id=35), len=0 TLS server extension "heartbeat" (id=15), len=1 You will find the patch here [3] and as inline attachment. Is it OK for your des@ ? Regards [1] http://en.wikipedia.org/wiki/Server_Name_Indication [2] https://sni.velox.ch/ [3] http://people.freebsd.org/~sbz/fetch_ssl_sni.diff -- Sofian Brabez
Index: common.c
===================================================================
--- common.c (revision 251547)
+++ common.c (working copy)
@@ -322,7 +322,7 @@
* Enable SSL on a connection.
*/
int
-fetch_ssl(conn_t *conn, int verbose)
+fetch_ssl(conn_t *conn, int verbose, char *hostname)
{
#ifdef WITH_SSL
int ret, ssl_err;
@@ -345,6 +345,14 @@
return (-1);
}
SSL_set_fd(conn->ssl, conn->sd);
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+ if (!SSL_set_tlsext_host_name(conn->ssl, hostname)) {
+ fprintf(stderr, "TLS server name indication extension failed for host %s\n", hostname);
+ return (-1);
+ }
+#endif
+
while ((ret = SSL_connect(conn->ssl)) == -1) {
ssl_err = SSL_get_error(conn->ssl, ret);
if (ssl_err != SSL_ERROR_WANT_READ &&
Index: common.h
===================================================================
--- common.h (revision 251547)
+++ common.h (working copy)
@@ -87,7 +87,7 @@
conn_t *fetch_connect(const char *, int, int, int);
conn_t *fetch_reopen(int);
conn_t *fetch_ref(conn_t *);
-int fetch_ssl(conn_t *, int);
+int fetch_ssl(conn_t *, int, char*);
ssize_t fetch_read(conn_t *, char *, size_t);
int fetch_getln(conn_t *);
ssize_t fetch_write(conn_t *, const char *, size_t);
Index: http.c
===================================================================
--- http.c (revision 251547)
+++ http.c (working copy)
@@ -1408,7 +1408,7 @@
http_get_reply(conn);
}
if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
- fetch_ssl(conn, verbose) == -1) {
+ fetch_ssl(conn, verbose, URL->host) == -1) {
fetch_close(conn);
/* grrr */
errno = EAUTH;
pgpL9W18KntT3.pgp
Description: PGP signature
