BUG/MINOR: ssl: Don't allow to set NULL sni

ssl_sock_set_servername() function was documented to support NULL sni to
unset it. However, the man page of SSL_get_servername() does not mentionned
it is supported or not. And it is in fact not supported by WolfSSL and leads
to a crash if we do so.

For now, this function is never called with a NULL sni, so it better and
safer to forbid this case. Now, if the sni is NULL, the function does
nothing.

This patch could be backported to all stable versions.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index efcb40b4eb48b523d5a58e1558d26b12c372d9e8..3fe42d3f6d6419aa9bd100ab02f32014f2a3d9f0 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7605,8 +7605,7 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l
 #endif
 }
 
-/* Sets advertised SNI for outgoing connections. Please set <hostname> to NULL
- * to disable SNI.
+/* Sets advertised SNI for outgoing connections.
  */
 void ssl_sock_set_servername(struct connection *conn, const char *hostname)
 {
@@ -7614,7 +7613,7 @@ void ssl_sock_set_servername(struct connection *conn, const char *hostname)
        struct ssl_sock_ctx *ctx = conn_get_ssl_sock_ctx(conn);
        char *prev_name;
 
-       if (!ctx)
+       if (!ctx || !hostname)
                return;
 
        BUG_ON(!(conn->flags & CO_FL_WAIT_L6_CONN));
@@ -7629,9 +7628,7 @@ void ssl_sock_set_servername(struct connection *conn, const char *hostname)
         */
 
        prev_name = (char *)SSL_get_servername(ctx->ssl, TLSEXT_NAMETYPE_host_name);
-       if ((!prev_name && hostname) ||
-           !hostname ||
-           strcmp(hostname, prev_name) != 0) {
+       if (!prev_name || strcmp(hostname, prev_name) != 0) {
                SSL_set_session(ctx->ssl, NULL);
                SSL_set_tlsext_host_name(ctx->ssl, hostname);
        }