Set SNI extension with OpenSSL.

diff --git a/CHANGES.md b/CHANGES.md
index 16706112a5d65dc84af95ef68a0d5e4e0a3ec5e7..40536a21e8c3a037c899a85c2e6799798ec68590 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -93,6 +93,8 @@ Changes in CUPS v2.5b1 (TBA)
   fields.
 - Fixed finishing support in ippeveps.
 - Fixed non-quick copy of collection values.
+- Fixed TLS negotiation using OpenSSL with servers that require the TLS SNI
+  extension.
 - Removed hash support for SHA2-512-224 and SHA2-512-256.
 - Removed `mantohtml` script for generating html pages (use
   `https://www.msweet.org/mantohtml/`)

diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
index da7a0d67df242a4234893392fe554f5f6afcd6d8..67493a19b62a6363987076009ba7d6224851f824 100644 (file)
--- a/cups/tls-openssl.c
+++ b/cups/tls-openssl.c
@@ -3,7 +3,7 @@
 //
 // Note: This file is included from tls.c
 //
-// Copyright © 2020-2023 by OpenPrinting
+// Copyright © 2020-2024 by OpenPrinting
 // Copyright © 2007-2019 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products, all rights reserved.
 //
@@ -1545,6 +1545,7 @@ _httpTLSStart(http_t *http)               // I - Connection to server
       int      i,                      // Looping var
                count;                  // Number of certificates
 
+      DEBUG_puts("4_httpTLSStart: Using client certificate.");
       SSL_CTX_use_certificate(context, sk_X509_value(http->tls_credentials->certs, 0));
       SSL_CTX_use_PrivateKey(context, http->tls_credentials->key);
 
@@ -1719,6 +1720,9 @@ _httpTLSStart(http_t *http)               // I - Connection to server
   if (http->mode == _HTTP_MODE_CLIENT)
   {
     // Negotiate as a client...
+    DEBUG_printf("4_httpTLSStart: Setting server name TLS extension to '%s'...", http->hostname);
+    SSL_set_tlsext_host_name(http->tls, http->hostname);
+
     DEBUG_puts("4_httpTLSStart: Calling SSL_connect...");
     if (SSL_connect(http->tls) < 1)
     {