From 3c41e85fc4a9e92d0d4c0ef80dcdc77941ff0744 Mon Sep 17 00:00:00 2001 From: JT Olds Date: Tue, 29 Apr 2014 03:00:44 -0600 Subject: [PATCH] openssl: add sni to dial helper Change-Id: Ibfa19f720987a7ba39e3a02c47d8e9f3fff925be --- conn.go | 2 ++ net.go | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/conn.go b/conn.go index 2c18b41..4cde9ce 100644 --- a/conn.go +++ b/conn.go @@ -99,6 +99,8 @@ func newConn(conn net.Conn, ctx *Ctx) (*Conn, error) { // connection, you are responsible for verifying the peer's hostname. // Otherwise, you are vulnerable to MITM attacks. // +// Client also does not set up SNI for you like Dial does. +// // Client connections probably won't work for you unless you set a verify // location or add some certs to the certificate store of the client context // you're using. This library is not nice enough to use the system certificate diff --git a/net.go b/net.go index cd993fb..4ee92ed 100644 --- a/net.go +++ b/net.go @@ -50,7 +50,8 @@ func Listen(network, laddr string, ctx *Ctx) (net.Listener, error) { type DialFlags int const ( - InsecureSkipHostVerification DialFlags = 0x01 + InsecureSkipHostVerification DialFlags = 1 << iota + DisableSNI ) // Dial will connect to network/address and then wrap the corresponding @@ -64,6 +65,10 @@ const ( // This library is not nice enough to use the system certificate store by // default for you yet. func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) { + host, _, err := net.SplitHostPort(addr) + if err != nil { + return nil, err + } if ctx == nil { var err error ctx, err = NewCtx() @@ -81,17 +86,19 @@ func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) { c.Close() return nil, err } + if flags&DisableSNI == 0 { + err = conn.SetTlsExtHostName(host) + if err != nil { + conn.Close() + return nil, err + } + } err = conn.Handshake() if err != nil { c.Close() return nil, err } if flags&InsecureSkipHostVerification == 0 { - host, _, err := net.SplitHostPort(addr) - if err != nil { - conn.Close() - return nil, err - } err = conn.VerifyHostname(host) if err != nil { conn.Close()