From 92a99736fd22564515604aa140b8898befd9858e Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 20 Nov 2010 22:21:50 -0500 Subject: [PATCH] Do not set the hostname TLS extension server-side; only client-side This may fix bug 2204, and resolve the incompatibility with openssl 0.9.8p/1.0.0b. --- changes/fix2204 | 7 +++++++ src/common/tortls.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 changes/fix2204 diff --git a/changes/fix2204 b/changes/fix2204 new file mode 100644 index 0000000000..fb2771a7fa --- /dev/null +++ b/changes/fix2204 @@ -0,0 +1,7 @@ + o Major bugfixes + - Do not set the tlsext_host_name extension on server SSL objects; + only on client SSL objects. We set it to immitate a browser, not a + vhosting server. This resolves an incompatibility with openssl 0.9.8p + and openssl 1.0.0b. Fixes bug 2204; bugfix on 0.2.1.1-alpha. + + diff --git a/src/common/tortls.c b/src/common/tortls.c index 25f21a9892..2915f79195 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -898,7 +898,7 @@ tor_tls_new(int sock, int isServer) #ifdef SSL_set_tlsext_host_name /* Browsers use the TLS hostname extension, so we should too. */ - { + if (!isServer) { char *fake_hostname = crypto_random_hostname(4,25, "www.",".com"); SSL_set_tlsext_host_name(result->ssl, fake_hostname); tor_free(fake_hostname);