diff options
author | Alexander Bluhm <[email protected]> | 2017-03-10 00:31:41 +0100 |
---|---|---|
committer | Alexander Bluhm <[email protected]> | 2017-03-25 00:40:55 +0100 |
commit | 9ba487cbae4bb1f4b47c55c85f7b5219c0cbf182 (patch) | |
tree | 8a56db822c0274e2f5f82443ea7818bd90e055c1 /src/cli/tls_client.cpp | |
parent | e7e130c3d56eead0d2f9e9cd5d00541a9c7fd006 (diff) |
tls_client must not pass an IP address as server information
RFC 6066 section 3 says: Literal IPv4 and IPv6 addresses are not
permitted in "HostName". But if a user passes an IP address to
botan tls_client as connect address, this is also used for SNI.
Some TLS server like libtls from the LibreSSL project check that a
provided hostname is a DNS name. The TLS connection attempt from
botan is rejected with a fatal alert.
Diffstat (limited to 'src/cli/tls_client.cpp')
-rw-r--r-- | src/cli/tls_client.cpp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp index f3b3425a5..3cba471f0 100644 --- a/src/cli/tls_client.cpp +++ b/src/cli/tls_client.cpp @@ -25,6 +25,7 @@ #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> +#include <arpa/inet.h> #include <netdb.h> #include <unistd.h> #include <errno.h> @@ -117,12 +118,21 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks version = Botan::TLS::Protocol_Version::TLS_V11; } + struct sockaddr_storage addrbuf; + std::string hostname; + if(!host.empty() && + inet_pton(AF_INET, host.c_str(), &addrbuf) != 1 && + inet_pton(AF_INET6, host.c_str(), &addrbuf) != 1) + { + hostname = host; + } + Botan::TLS::Client client(*this, *session_mgr, creds, *policy, rng(), - Botan::TLS::Server_Information(host, port), + Botan::TLS::Server_Information(hostname, port), version, protocols_to_offer); |