From 15fb8fcc7b98c3eba8eab79b227127b4b71b096c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 15 Mar 2024 23:24:39 +0100 Subject: [PATCH] s4:lib/tls: include a TLS server name indication in the client handshake This is not strictly needed, but it might be useful for load balancers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- source4/lib/tls/tls_tstream.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index cfcff836624..8b6d89b802a 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -992,6 +992,7 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp, struct tstream_tls_params_internal *tlsp = NULL; int ret; unsigned int flags; + const char *hostname = NULL; if (tlss->is_server) { flags = GNUTLS_SERVER; @@ -1025,10 +1026,20 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp, tlss->verify_peer = tlsp->verify_peer; if (tlsp->peer_name != NULL) { + bool ip = is_ipaddress(tlsp->peer_name); + tlss->peer_name = talloc_strdup(tlss, tlsp->peer_name); if (tlss->peer_name == NULL) { return NT_STATUS_NO_MEMORY; } + + if (!ip) { + hostname = tlss->peer_name; + } + + if (tlss->verify_peer < TLS_VERIFY_PEER_CA_AND_NAME) { + hostname = NULL; + } } if (tlss->current_ev != NULL) { @@ -1070,6 +1081,17 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp, NT_STATUS_CRYPTO_SYSTEM_INVALID); } + if (hostname != NULL) { + ret = gnutls_server_name_set(tlss->tls_session, + GNUTLS_NAME_DNS, + hostname, + strlen(hostname)); + if (ret != GNUTLS_E_SUCCESS) { + return gnutls_error_to_ntstatus(ret, + NT_STATUS_CRYPTO_SYSTEM_INVALID); + } + } + if (tlss->is_server) { gnutls_certificate_server_set_request(tlss->tls_session, GNUTLS_CERT_REQUEST);