Dig: carefully check if the server name for SNI is a hostname

Previously the code would not check if the string intended to be used
for SNI is a hostname.

(cherry picked from commit 16a306687a2049dff0bb4139165fc22381905643)

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 87dbd5b80dcb03aaa0c8d9c194cf0bd855599127..90e8f0c0ad46308578c1b8729dff8be8599aaaeb 100644 (file)
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -2793,8 +2793,19 @@ _cancel_lookup(dig_lookup_t *lookup, const char *file, unsigned int line) {
 
 static inline const char *
 get_tls_sni_hostname(dig_query_t *query) {
-       return query->lookup->tls_hostname_set ? query->lookup->tls_hostname
-                                              : query->userarg;
+       const char *hostname = query->lookup->tls_hostname_set
+                                      ? query->lookup->tls_hostname
+                                      : query->userarg;
+
+       if (query->lookup->tls_hostname_set) {
+               return query->lookup->tls_hostname;
+       }
+
+       if (isc_tls_valid_sni_hostname(hostname)) {
+               return hostname;
+       }
+
+       return NULL;
 }
 
 static isc_tlsctx_t *