[Privoxy-commits] [privoxy] 10/16: openssl: Don't call SSL_set_tlsext_host_name() if the host is an IP address

[User Git]

This is an automated email from the git hooks/post-receive script.

git pushed a commit to branch master
in repository privoxy.

commit bb846ead4bb242e2884e6777be0b9434d3e6de93
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Sun Dec 21 16:08:37 2025 +0100

    openssl: Don't call SSL_set_tlsext_host_name() if the host is an IP address
    
    With LibreSSl the call simply fails and with OpenSSL the call
    succeeds but results in an syntactically incorrect ClientHello [0]
    a server may object to.
    
    While at it, add the host name to the error message.
    
    [0]: <https://github.com/openssl/openssl/issues/20041>
---
 openssl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/openssl.c b/openssl.c
index 25e6b373..cb2bab7a 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1126,9 +1126,11 @@ extern int create_server_ssl_connection(struct client_state *csp)
    }
 #endif
    /* SNI extension */
-   if (!SSL_set_tlsext_host_name(ssl, csp->http->host))
+   if (!host_is_ip_address(csp->http->host) &&
+       !SSL_set_tlsext_host_name(ssl, csp->http->host))
    {
-      log_ssl_errors(LOG_LEVEL_ERROR, "SSL_set_tlsext_host_name failed");
+      log_ssl_errors(LOG_LEVEL_ERROR,
+         "SSL_set_tlsext_host_name() failed to set %s", csp->http->host);
       ret = -1;
       goto exit;
    }

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.