Menu
▾
▴
#12 Add rudimentary SNI support
This patch adds rudimentary support for Server Name Indication as specified in sec. 3.1 of RFC 4366. It has been tested against OpenSSL only; I'm not sure if it works with GNU TLS. This patch assumes an SNI-capable version of OpenSSL, but autoconf macros and ifdefs can be added to avoid issues with earlier versions.
Trivial usage example:
package require http
package require tls
::http::register https 443 [list ::tls::socket -tls1 true -sni foo.bar.com]
set tok [http::geturl https://foo.bar.com -channel stdout]
Take 2 of adding the feature.
- now errors out if -require is true and adding the TLS extension host name fails
Added what I think should work for Tcl_AppendResult around line 892-ish, but if I take that code path I get the segfault I mentioned.
This latest patch includes proper OPENSSL_NO_TLSEXT ifdefs for all but the OPTBAD, which I haven't been able to get shown in tclsh. If it's worth the duplication to have alternates ifdef'd there, let me know and I'll add them.
New patch with -servername instead of -sni.
Latest patch version includes a change from -sni to -servername, so touches tls.tcl as well.
Patch looks ok to me. Is missing a change to the documentation (tls.htm).
Builds fine for linux. Other platforms will be checked in the upcoming nightly.
Patch looks to be working for the stackato client.
I vote for committing this to the official code base.
Definitely in favor of committing to core tls with version bump.
Committed to CVS, under version 1.6.4