Fix tls_sockets() when SNI empty

`socksend_tls_clienthello()` always includes a server name extension in the ClientHello (for TLS 1.0 and above), even if `$SNI` is empty. If `$NODE` is an IP address, then the IP address is placed in the extension, even though RFC 6066 says that only DNS names are supported in the extension. This PR changes `socksend_tls_clienthello()` so that the server name extension is only included in the ClientHello is `$SNI` is not empty.
2025-01-06 00:39:44 +01:00 · 2016-09-01 13:22:39 -04:00 · 2016-09-01 13:22:39 -04:00 · a9002ba6e6
commit a9002ba6e6
parent 2313aee22d
1 changed files with 27 additions and 21 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -5747,6 +5747,7 @@ socksend_tls_clienthello() {
               fi
          done

+          if [[ -n "$SNI" ]]; then
               #formatted example for SNI
               #00 00    # extension server_name
               #00 1a    # length                      = the following +2 = server_name length + 5
@ -5761,6 +5762,7 @@ socksend_tls_clienthello() {
               len_servername_hex=$(printf "%02x\n" $len_servername)
               len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
               len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
+          fi

          extension_signature_algorithms="
          00, 0d,                    # Type: signature_algorithms , see RFC 5246
@ -5790,15 +5792,19 @@ socksend_tls_clienthello() {
          01, 00"
          
          all_extensions="
-           00, 00                  # extension server_name
+           $extension_heartbeat
+          ,$extension_session_ticket
+          ,$extension_next_protocol"
+
+          if [[ -n "$SNI" ]]; then
+               all_extensions="$all_extensions
+               ,00, 00                  # extension server_name
               ,00, $len_sni_ext        # length SNI EXT
               ,00, $len_sni_listlen    # server_name list_length
               ,00                      # server_name type (hostname)
               ,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
-          ,$servername_hexstr      # server_name target
-          ,$extension_heartbeat
-          ,$extension_session_ticket
-          ,$extension_next_protocol"
+               ,$servername_hexstr"     # server_name target
+          fi

          # RFC 5246 says that clients MUST NOT offer the signature algorithms
          # extension if they are offering TLS versions prior to 1.2.