Fix tls_sockets() when SNI empty

`socksend_tls_clienthello()` always includes a server name extension in the ClientHello (for TLS 1.0 and above), even if `$SNI` is empty. If `$NODE` is an IP address, then the IP address is placed in the extension, even though RFC 6066 says that only DNS names are supported in the extension.

This PR changes `socksend_tls_clienthello()` so that the server name extension is only included in the ClientHello is `$SNI` is not empty.
This commit is contained in:
David Cooper 2016-09-01 13:22:39 -04:00 committed by GitHub
parent 2313aee22d
commit a9002ba6e6

View File

@ -5747,6 +5747,7 @@ socksend_tls_clienthello() {
fi fi
done done
if [[ -n "$SNI" ]]; then
#formatted example for SNI #formatted example for SNI
#00 00 # extension server_name #00 00 # extension server_name
#00 1a # length = the following +2 = server_name length + 5 #00 1a # length = the following +2 = server_name length + 5
@ -5761,6 +5762,7 @@ socksend_tls_clienthello() {
len_servername_hex=$(printf "%02x\n" $len_servername) len_servername_hex=$(printf "%02x\n" $len_servername)
len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
len_sni_ext=$(printf "%02x\n" $((len_servername+5))) len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
fi
extension_signature_algorithms=" extension_signature_algorithms="
00, 0d, # Type: signature_algorithms , see RFC 5246 00, 0d, # Type: signature_algorithms , see RFC 5246
@ -5790,15 +5792,19 @@ socksend_tls_clienthello() {
01, 00" 01, 00"
all_extensions=" all_extensions="
00, 00 # extension server_name $extension_heartbeat
,$extension_session_ticket
,$extension_next_protocol"
if [[ -n "$SNI" ]]; then
all_extensions="$all_extensions
,00, 00 # extension server_name
,00, $len_sni_ext # length SNI EXT ,00, $len_sni_ext # length SNI EXT
,00, $len_sni_listlen # server_name list_length ,00, $len_sni_listlen # server_name list_length
,00 # server_name type (hostname) ,00 # server_name type (hostname)
,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9 ,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
,$servername_hexstr # server_name target ,$servername_hexstr" # server_name target
,$extension_heartbeat fi
,$extension_session_ticket
,$extension_next_protocol"
# RFC 5246 says that clients MUST NOT offer the signature algorithms # RFC 5246 says that clients MUST NOT offer the signature algorithms
# extension if they are offering TLS versions prior to 1.2. # extension if they are offering TLS versions prior to 1.2.