From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 25 Sep 2018 08:31:42 +0000 (+0000)
Subject: - Perform TLS SNI indication of the host that is being contacted
X-Git-Tag: release-1.8.1rc1~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f82a12890945093bdb9caa8611ecd607e291bbd9;p=thirdparty%2Funbound.git

- Perform TLS SNI indication of the host that is being contacted
  for DNS over TLS service.  It sets the configured tls auth name.
  This is useful for hosts that apart from the DNS over TLS services
  also provide other (web) services.


git-svn-id: file:///svn/unbound/trunk@4914 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 274dfa784..63fecca8b 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+25 September 2018: Wouter
+	- Perform TLS SNI indication of the host that is being contacted
+	  for DNS over TLS service.  It sets the configured tls auth name.
+	  This is useful for hosts that apart from the DNS over TLS services
+	  also provide other (web) services.
+
 17 September 2018: Wouter
 	- Fix compile on Mac for unbound, provide explicit_bzero when libc
 	  does not have it.
diff --git a/services/outside_network.c b/services/outside_network.c
index 75338f446..54bbf6f56 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -365,6 +365,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
 		comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
 #endif
 		pend->c->ssl_shake_state = comm_ssl_shake_write;
+		if(w->tls_auth_name) {
+			(void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name);
+		}
 #ifdef HAVE_SSL_SET1_HOST
 		if(w->tls_auth_name) {
 			SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);