- Perform TLS SNI indication of the host that is being contacted

  for DNS over TLS service.  It sets the configured tls auth name.
  This is useful for hosts that apart from the DNS over TLS services
  also provide other (web) services.

git-svn-id: file:///svn/unbound/trunk@4914 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 274dfa7843c0a093ff49627b599433867ad962e5..63fecca8b86d3a1a242b7036c396cb29a3d07c8c 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+25 September 2018: Wouter
+       - Perform TLS SNI indication of the host that is being contacted
+         for DNS over TLS service.  It sets the configured tls auth name.
+         This is useful for hosts that apart from the DNS over TLS services
+         also provide other (web) services.
+
 17 September 2018: Wouter
        - Fix compile on Mac for unbound, provide explicit_bzero when libc
          does not have it.

diff --git a/services/outside_network.c b/services/outside_network.c
index 75338f446befdcc5aece3fd41482c245f7e6f329..54bbf6f56b2500673e505d795359c0b65194860c 100644 (file)
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -365,6 +365,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
                comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
 #endif
                pend->c->ssl_shake_state = comm_ssl_shake_write;
+               if(w->tls_auth_name) {
+                       (void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name);
+               }
 #ifdef HAVE_SSL_SET1_HOST
                if(w->tls_auth_name) {
                        SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);