From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Tue, 31 Oct 2017 21:51:53 +0000 (+0200)
Subject: doveadm: Send hostname without ":port" as TLS SNI name for outgoing SSL connections.
X-Git-Tag: 2.3.0.rc1~598
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b7459fda7de40f963e64da1886af68ad05fd10d;p=thirdparty%2Fdovecot%2Fcore.git

doveadm: Send hostname without ":port" as TLS SNI name for outgoing SSL connections.
---

diff --git a/src/doveadm/doveadm-dsync.c b/src/doveadm/doveadm-dsync.c
index 4af632dc44..1224052385 100644
--- a/src/doveadm/doveadm-dsync.c
+++ b/src/doveadm/doveadm-dsync.c
@@ -804,10 +804,13 @@ dsync_connect_tcp(struct dsync_cmd_context *ctx,
 	struct server_connection *conn;
 	struct ioloop *ioloop;
 	string_t *cmd;
-	const char *error;
+	const char *p, *error;
 
 	server = p_new(ctx->ctx.pool, struct doveadm_server, 1);
 	server->name = p_strdup(ctx->ctx.pool, target);
+	p = strrchr(server->name, ':');
+	server->hostname = p == NULL ? server->name :
+		p_strdup_until(ctx->ctx.pool, server->name, p);
 	if (ssl) {
 		if (dsync_init_ssl_ctx(ctx, mail_set, &error) < 0) {
 			*error_r = t_strdup_printf(
diff --git a/src/doveadm/doveadm-mail-server.c b/src/doveadm/doveadm-mail-server.c
index b84260820f..0fb4a1e4d3 100644
--- a/src/doveadm/doveadm-mail-server.c
+++ b/src/doveadm/doveadm-mail-server.c
@@ -39,6 +39,7 @@ static struct doveadm_server *
 doveadm_server_get(struct doveadm_mail_cmd_context *ctx, const char *name)
 {
 	struct doveadm_server *server;
+	const char *p;
 	char *dup_name;
 
 	if (!hash_table_is_created(servers)) {
@@ -49,6 +50,10 @@ doveadm_server_get(struct doveadm_mail_cmd_context *ctx, const char *name)
 	if (server == NULL) {
 		server = p_new(server_pool, struct doveadm_server, 1);
 		server->name = dup_name = p_strdup(server_pool, name);
+		p = strrchr(server->name, ':');
+		server->hostname = p == NULL ? server->name :
+			p_strdup_until(server_pool, server->name, p);
+
 		p_array_init(&server->connections, server_pool,
 			     ctx->set->doveadm_worker_count);
 		p_array_init(&server->queue, server_pool,
diff --git a/src/doveadm/doveadm-server.h b/src/doveadm/doveadm-server.h
index ec479537f9..170a554052 100644
--- a/src/doveadm/doveadm-server.h
+++ b/src/doveadm/doveadm-server.h
@@ -5,7 +5,10 @@ extern struct client_connection *doveadm_client;
 extern struct doveadm_print_vfuncs doveadm_print_server_vfuncs;
 
 struct doveadm_server {
+	/* host:port */
 	const char *name;
+	/* host only */
+	const char *hostname;
 	struct ssl_iostream_context *ssl_ctx;
 
 	ARRAY(struct server_connection *) connections;
diff --git a/src/doveadm/server-connection.c b/src/doveadm/server-connection.c
index adc8d53b78..48fc44e456 100644
--- a/src/doveadm/server-connection.c
+++ b/src/doveadm/server-connection.c
@@ -489,14 +489,10 @@ static int server_connection_read_settings(struct server_connection *conn)
 static int server_connection_ssl_handshaked(const char **error_r, void *context)
 {
 	struct server_connection *conn = context;
-	const char *host, *p;
 
-	host = conn->server->name;
-	p = strrchr(host, ':');
-	if (p != NULL)
-		host = t_strdup_until(host, p);
-
-	if (ssl_iostream_check_cert_validity(conn->ssl_iostream, host, error_r) < 0)
+	if (ssl_iostream_check_cert_validity(conn->ssl_iostream,
+					     conn->server->hostname,
+					     error_r) < 0)
 		return -1;
 	if (doveadm_debug)
 		i_debug("%s: SSL handshake successful", conn->server->name);
@@ -515,7 +511,7 @@ static int server_connection_init_ssl(struct server_connection *conn)
 	ssl_set.verbose_invalid_cert = TRUE;
 
 	if (io_stream_create_ssl_client(conn->server->ssl_ctx,
-					conn->server->name, &ssl_set,
+					conn->server->hostname, &ssl_set,
 					&conn->input, &conn->output,
 					&conn->ssl_iostream, &error) < 0) {
 		i_error("Couldn't initialize SSL client: %s", error);