From: Artem Boldariev Date: Tue, 17 Dec 2024 14:02:05 +0000 (+0200) Subject: Dig - enable TLS SNI support X-Git-Tag: v9.21.4~12^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e04fb30ee624bdec290188ec5ee74d0ef71c8e24;p=thirdparty%2Fbind9.git Dig - enable TLS SNI support This commit ensures that dig enables TLS SNI support for outgoing connections in order to improve compatibility with other DNS server software. --- diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 09b677e87b5..de01fce32db 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -2778,6 +2778,12 @@ _cancel_lookup(dig_lookup_t *lookup, const char *file, unsigned int line) { check_if_done(); } +static inline const char * +get_tls_sni_hostname(dig_query_t *query) { + return query->lookup->tls_hostname_set ? query->lookup->tls_hostname + : query->userarg; +} + static isc_tlsctx_t * get_create_tls_context(dig_query_t *query, const bool is_https, isc_tlsctx_client_session_cache_t **psess_cache) { @@ -2824,10 +2830,7 @@ get_create_tls_context(dig_query_t *query, const bool is_https, } if (store != NULL) { - const char *hostname = - query->lookup->tls_hostname_set - ? query->lookup->tls_hostname - : query->userarg; + const char *hostname = get_tls_sni_hostname(query); /* * According to RFC 8310, Subject field MUST NOT be * inspected when verifying hostname for DoT. Only @@ -3041,7 +3044,8 @@ start_tcp(dig_query_t *query) { } isc_nm_streamdnsconnect(netmgr, &localaddr, &query->sockaddr, tcp_connected, connectquery, - local_timeout, tlsctx, NULL, sess_cache, + local_timeout, tlsctx, + get_tls_sni_hostname(query), sess_cache, proxy_type, ppi); #if HAVE_LIBNGHTTP2 } else if (query->lookup->https_mode) { @@ -3061,7 +3065,8 @@ start_tcp(dig_query_t *query) { isc_nm_httpconnect(netmgr, &localaddr, &query->sockaddr, uri, !query->lookup->https_get, tcp_connected, - connectquery, tlsctx, NULL, sess_cache, + connectquery, tlsctx, + get_tls_sni_hostname(query), sess_cache, local_timeout, proxy_type, ppi); #endif } else {