From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 11 Apr 2025 00:43:12 +0000 (-0400)
Subject: it helps to have SSL session before using it.  Fixes #5552
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b913b937898e7a2833697c52124acb23e888376c;p=thirdparty%2Ffreeradius-server.git

it helps to have SSL session before using it.  Fixes #5552
---

diff --git a/src/main/listen.c b/src/main/listen.c
index a3855d1f05..3cbd4f88f9 100644
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -3662,18 +3662,6 @@ rad_listen_t *proxy_new_listener(TALLOC_CTX *ctx, home_server_t *home, uint16_t
 	if ((home->proto == IPPROTO_TCP) && home->tls) {
 		DEBUG("(TLS) Trying new outgoing proxy connection to %s", buffer);
 
-		/*
-		 *	Set SNI, if configured.
-		 *
-		 *	The OpenSSL API says the filename is "char
-		 *	const *", but some versions have it as "void
-		 *	*", without the "const".  So we un-const it
-		 *	here through various C magic.
-		 */
-		if (home->tls->client_hostname) {
-			(void) SSL_set_tlsext_host_name(sock->ssn->ssl, (void *) (uintptr_t) home->tls->client_hostname);
-		}
-
 #ifdef WITH_RADIUSV11
 		this->radiusv11 = home->tls->radiusv11;
 #endif
diff --git a/src/main/tls.c b/src/main/tls.c
index 7286f220c6..fe7cc4a88f 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -497,6 +497,18 @@ tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *con
 		SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER, (void *) &conf->fix_cert_order);
 	}
 
+	/*
+	 *	Set SNI, if configured.
+	 *
+	 *	The OpenSSL API says the filename is "char
+	 *	const *", but some versions have it as "void
+	 *	*", without the "const".  So we un-const it
+	 *	here through various C magic.
+	 */
+	if (conf->client_hostname) {
+		(void) SSL_set_tlsext_host_name(ssn->ssl, (void *) (uintptr_t) conf->client_hostname);
+	}
+
 	/*
 	 *	Add the message callback to identify what type of
 	 *	message/handshake is passed