From: Alan T. DeKok <aland@freeradius.org>
Date: Sun, 25 Jul 2021 16:35:35 +0000 (-0400)
Subject: move SNI to the correct place
X-Git-Tag: release_3_0_24~112
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e515169bbd4ce1bd98f522049f3283c9b009dde;p=thirdparty%2Ffreeradius-server.git

move SNI to the correct place
---

diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 12bf503ce3f..4315fecf26e 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -490,6 +490,10 @@ home_server tls {
 		#  connection, and then use SNI to route the
 		#  underlying RADIUS TCP traffic to a particular host.
 		#
+		#  Note that "hostname" here only for SNI, and is NOT
+		#  the hostname or IP address we connect to.  For that,
+		#  See "ipaddr", above.
+		#
 	#	hostname = "example.com"
 
 		private_key_password = whatever
diff --git a/src/main/listen.c b/src/main/listen.c
index f2af3e16dad..c9c27226146 100644
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -2990,6 +2990,18 @@ rad_listen_t *proxy_new_listener(TALLOC_CTX *ctx, home_server_t *home, uint16_t
 	if ((home->proto == IPPROTO_TCP) && home->tls) {
 		DEBUG("(TLS) Trying new outgoing proxy connection to %s", buffer);
 
+		/*
+		 *	Set SNI, if configured.
+		 *
+		 *	The OpenSSL API says the filename is "char
+		 *	const *", but some versions have it as "void
+		 *	*", without the "const".  So we un-const it
+		 *	here through various C magic.
+		 */
+		if (home->tls->client_hostname) {
+			(void) SSL_set_tlsext_host_name(sock->ssn->ssl, (void *) (uintptr_t) "home->tls->client_hostname");
+		}
+
 		/*
 		 *	This is blocking.  :(
 		 */
diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
index cad1353cd39..0c3a4cfcb3c 100644
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -177,18 +177,6 @@ static int tls_socket_recv(rad_listen_t *listener)
 		SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock);
 		sock->ssn->quick_session_tickets = true; /* we don't have inner-tunnel authentication */
 
-		/*
-		 *	Set SNI, if configured.
-		 *
-		 *	The OpenSSL API says the filename is "char
-		 *	const *", but some versions have it as "void
-		 *	*", without the "const".  So we un-const it
-		 *	here through various C magic.
-		 */
-		if (listener->tls->client_hostname) {
-			(void) SSL_set_tlsext_host_name(sock->ssn->ssl, (void *) (uintptr_t) listener->tls->client_hostname);
-		}
-
 		doing_init = true;
 	}