printf("-c file cert file, default %s\n", ROOT_CERT_FILE);
printf("-l list builtin key and cert on stdout\n");
printf("-u name server in https url, default %s\n", URLNAME);
+ printf("-S use SNI for the https connection\n");
printf("-x path pathname to xml in url, default %s\n", XMLNAME);
printf("-s path pathname to p7s in url, default %s\n", P7SNAME);
printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER);
/** initiate TLS on a connection */
static SSL*
-TLS_initiate(SSL_CTX* sslctx, int fd)
+TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni)
{
X509* x;
int r;
SSL_free(ssl);
return NULL;
}
+ if(use_sni) {
+ (void)SSL_set_tlsext_host_name(ssl, urlname);
+ }
while(1) {
ERR_clear_error();
if( (r=SSL_do_handshake(ssl)) == 1)
/** https to an IP addr, return BIO with pathname or NULL */
static BIO*
https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname,
- struct ip_list* src)
+ struct ip_list* src, int use_sni)
{
int fd;
SSL* ssl;
SSL_CTX_free(sslctx);
return NULL;
}
- ssl = TLS_initiate(sslctx, fd);
+ ssl = TLS_initiate(sslctx, fd, urlname, use_sni);
if(!ssl) {
SSL_CTX_free(sslctx);
fd_close(fd);
* @param pathname: pathname of file on server to GET.
* @param urlname: name to pass as the virtual host for this request.
* @param src: if nonNULL, source address to bind to.
+ * @param use_sni: if SNI will be used.
* @return a memory BIO with the file in it.
*/
static BIO*
https(struct ip_list* ip_list, const char* pathname, const char* urlname,
- struct ip_list* src)
+ struct ip_list* src, int use_sni)
{
struct ip_list* ip;
BIO* bio = NULL;
wipe_ip_usage(ip_list);
while( (ip = pick_random_ip(ip_list)) ) {
ip->used = 1;
- bio = https_to_ip(ip, pathname, urlname, src);
+ bio = https_to_ip(ip, pathname, urlname, src, use_sni);
if(bio) break;
}
if(!bio) {
const char* urlname, const char* xmlname, const char* p7sname,
const char* p7signer, const char* res_conf, const char* root_hints,
const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
- int port)
+ int port, int use_sni)
{
STACK_OF(X509)* cert;
#endif
/* fetch the necessary files over HTTPS */
- xml = https(ip_list, xmlname, urlname, src);
- p7s = https(ip_list, p7sname, urlname, src);
+ xml = https(ip_list, xmlname, urlname, src, use_sni);
+ p7s = https(ip_list, p7sname, urlname, src, use_sni);
/* verify and update the root anchor */
verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer);
const char* urlname, const char* xmlname, const char* p7sname,
const char* p7signer, const char* res_conf, const char* root_hints,
const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
- int force, int res_conf_fallback, int port)
+ int force, int res_conf_fallback, int port, int use_sni)
{
struct ub_result* dnskey;
int used_builtin = 0;
probe_date_allows_certupdate(root_anchor_file)) || force) {
if(do_certupdate(root_anchor_file, root_cert_file, urlname,
xmlname, p7sname, p7signer, res_conf, root_hints,
- debugconf, srcaddr, ip4only, ip6only, port))
+ debugconf, srcaddr, ip4only, ip6only, port, use_sni))
return 1;
return used_builtin;
}
const char* srcaddr = NULL;
int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
int res_conf_fallback = 0;
+ int use_sni = 0;
/* parse the options */
- while( (c=getopt(argc, argv, "46C:FRP:a:b:c:f:hln:r:s:u:vx:")) != -1) {
+ while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) {
switch(c) {
case 'l':
dolist = 1;
case 'u':
urlname = optarg;
break;
+ case 'S':
+ use_sni = 1;
+ break;
case 'x':
xmlname = optarg;
break;
return do_root_update_work(root_anchor_file, root_cert_file, urlname,
xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
- srcaddr, ip4only, ip6only, force, res_conf_fallback, port);
+ srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni);
}