From: Alex Rousskov Date: Fri, 29 Apr 2016 00:27:45 +0000 (-0600) Subject: Fixed parsing of server-sent SNI. X-Git-Tag: SQUID_4_0_11~29^2~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc34b43d2939da581ac21d8ac2d097dabfb4866e;p=thirdparty%2Fsquid.git Fixed parsing of server-sent SNI. The old code could not handle an empty SNI extension that most servers send. RFC 6066 prose instructs servers to send empty SNI extensions, and the formal SNI grammar is apparently client-specific. We are not the only ones being confused by that because there are severs that send empty ServerNameLists, which are actually prohibited by the grammar. --- diff --git a/src/security/Handshake.cc b/src/security/Handshake.cc index 140745ff45..9909d3e64c 100644 --- a/src/security/Handshake.cc +++ b/src/security/Handshake.cc @@ -408,6 +408,10 @@ Security::HandshakeParser::parseServerHelloHandshakeMessage(const SBuf &raw) SBuf Security::HandshakeParser::parseSniExtension(const SBuf &extensionData) const { + // Servers SHOULD send an empty SNI extension, not an empty ServerNameList! + if (extensionData.isEmpty()) + return SBuf(); + BinaryTokenizer tkList(extensionData); const P16String list(tkList, "ServerNameList");