search

sergot / openssl

OpenSSL bindings for Perl 6
MIT License
14 stars 31 forks source link

Support Server Name Indication #36

Closed jonathanstowe closed 7 years ago

jonathanstowe commented 7 years ago

In order to work with name based virtual hosts properly the library needs to set SSL_set_tlsext_host_name which is actually a macro

#  define SSL_set_tlsext_host_name(s,name) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)

Currently attempting to connect to a host that uses Server Name Indication fails.

jonathanstowe commented 7 years ago

You can confirm that this is the case for a particular host by using the OpenSSL client:

Failing Case:

[jonathan@coriolanus WebService-Soundcloud]$ openssl s_client -connect api.soundcloud.com:443
CONNECTED(00000003)
139734441662328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 201 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1492257315
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

With Servername:

[jonathan@coriolanus WebService-Soundcloud]$ openssl s_client -connect api.soundcloud.com:443 -servername api.soundcloud.com
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - SHA256 - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.soundcloud.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.soundcloud.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE/jCCA+agAwIBAgISESHCb+r/819O0qEF6ITKH3hkMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTYwMjEwMTAxOTI1WhcNMTgwNTA5MTAwODQ4WjA+MSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGTAXBgNVBAMMECouc291bmRjbG91ZC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMjYw8PMx3/lQpNaJI
ewJDgjGDp+gTFmuvIKjwsmiGvlyFozjbGVT3Aa7k8UhRe0EpjI0IOr6ATjQkNjZt
2LJzBrsLLoT+dNJsoIUN2Q7ZsrYZEnhZq1xYj5xUcipnhjFV21lAKYhRdoCea92S
Ekf4CZLb2uT1xljBe0ZLqYYKIRNhRn3XVCCWEFyYUYI3oM4pA4dl3fwrFC46WciE
1Yc1T8ot7z2Ucrgrr+7pRSJQ+f5SUg6lCFl1H9tO4HNYdczDObXQ4A8iDEYv90V+
zRV9dULJi5Aq9St3SV6AVWUTZfVknuHVpXU3GR051/SlWj4nsfBqGvSk72EksvBQ
+5EZAgMBAAGjggHSMIIBzjAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+BgZn
gQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20v
cmVwb3NpdG9yeS8wKwYDVR0RBCQwIoIQKi5zb3VuZGNsb3VkLmNvbYIOc291bmRj
bG91ZC5jb20wCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n
cy9nc2RvbWFpbnZhbHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsG
AQUFBzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2Rv
bWFpbnZhbHNoYTJnMnIxLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmds
b2JhbHNpZ24uY29tL2dzZG9tYWludmFsc2hhMmcyMB0GA1UdDgQWBBTsKmv+hul1
hWZOpRL7VTT7ghervjAfBgNVHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzAN
BgkqhkiG9w0BAQsFAAOCAQEAAM51rGQ8Dn15yKjgzMz7h0VF+Sd0hqg8W2PMT8hl
uY9oQkOHzPkWCsFzIUO1eAOktvvUY3Up9WQ2iBF/BzqCmpRLQyyzQovWVbJJH07p
wjOngORjdu5OcMEj/P7F2/u4rhl2mqXo7CnzeFBhSm09ULQnTrPQ7QFuCFTZCJ/z
69laHES0UVucQHVimYNuBo+dN+6VyyxRl5l2a/NCdCgbNwd4v+mCMzyKeS2+zSWU
gllfBdd+FRoGcCP7FmNAIO4qhvqgDQ6P/SYYhPayyrI8VBq33tqsSN8QsYzBPoDo
233PL+KGrrkyJDFApSHm+H6Zd0Xgbaj9g4LWk74av2J7dw==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.soundcloud.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3978 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 66E9DABB7B50DEF1E82E2BA6BBB6026A5C202D143EB199CDE9C0E981E240926A
    Session-ID-ctx: 
    Master-Key: FDDD0FD66BAF6B3BB7B55FD3C33855CA7E478E18EABCA72D254769E823E25F3913057D51DE243CBDABB39E340548B120
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 10800 (seconds)
    TLS session ticket:
    0000 - a2 dc 8c d5 db f6 88 d8-99 79 b5 12 e4 b6 e9 32   .........y.....2
    0010 - e3 43 97 1e 69 0c a1 87-d2 3b 31 09 29 23 cd 5e   .C..i....;1.)#.^
    0020 - 18 ad 20 bc ae a0 ad 9f-c8 e9 8e e3 93 73 5d c9   .. ..........s].
    0030 - e5 1e ea a2 69 ec a7 bc-91 eb 8f da 07 7a a7 2b   ....i........z.+
    0040 - cb 57 8d 19 eb c1 19 da-0b 08 39 3f 31 9b ac 70   .W........9?1..p
    0050 - a8 af bf 59 de 90 4f 5e-de 3d 1a 09 ec c3 0b 83   ...Y..O^.=......
    0060 - ae fc 9d e6 0e 86 72 ef-34 f2 d9 1f 21 5b e2 2d   ......r.4...![.-
    0070 - a1 72 62 bc 39 68 8a ab-94 30 40 85 83 ba bc 65   .rb.9h...0@....e
    0080 - c7 e7 35 2e 00 c8 68 63-2a 87 00 e6 3a 1b a8 68   ..5...hc*...:..h
    0090 - b8 55 37 0f 8d 70 24 4b-3c 51 7b 58 b8 27 42 c9   .U7..p$K<Q{X.'B.
    00a0 - 6b b6 2c 2a 5d 1f 5b be-dd eb 35 ba 1d 7c b2 4c   k.,*].[...5..|.L

    Start Time: 1492257449
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
GET / HTTP/1.0

HTTP/1.1 400 Bad Request
Server: CloudFront
Date: Sat, 15 Apr 2017 11:57:38 GMT
Content-Type: text/html
Content-Length: 551
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 974c28f7c099ed222b7c7aa8bcbaf5da.cloudfront.net (CloudFront)
X-Amz-Cf-Id: y9tkxXmD8DCUtmfbqoMVv9u5xNC27zP6iV5JuV3IaIpLTaHv8VTvug==

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: y9tkxXmD8DCUtmfbqoMVv9u5xNC27zP6iV5JuV3IaIpLTaHv8VTvug==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>closed