- Curt Bogmine reported a problem with SNI enabled on a particular server. We

                                  Changelog

Daniel Stenberg (2 Aug 2009)

- Curt Bogmine reported a problem with SNI enabled on a particular server. We

  should introduce an option to disable SNI, but as we're in feature freeze

  now I've addressed the obvious bug here (pointed out by Peter Sylvester): we

  shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.

  Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular

  option for SNI, or are we simply not using it?

Daniel Stenberg (1 Aug 2009)

- Scott Cantor posted the bug report #2829955

  (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert

 o with noproxy set you could still get a proxy if a proxy env was set

 o rand seeding on libcurl on windows built with OpenSSL was not thread-safe

 o fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL

 o don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)

This release includes the following known bugs:

 Aaron Oneal, Igor Novoseltsev, Eric Wong, Bill Hoffman, Daniel Steinberg,

 Fabian Keil, Michal Marek, Reuven Wachtfogel, Markus Koetter,

 Constantine Sapuntzakis, David Binderman, Johan van Selst, Alexander Beedie,

 Tanguy Fautre, Scott Cantor

 Tanguy Fautre, Scott Cantor, Curt Bogmine, Peter Sylvester

        Thanks! (and sorry if I forgot to mention someone)

248 - "Pausing pipeline problems."

249 - Wildcard cert name checking and null termination

251 - TFTP block size

252 - disable SNI for SSLv2 and SSLv3

To be addressed in 7.19.7 (planned release: October 2009)

=========================

  const char *ptr;

  void *ssl_sessionid;

  size_t ssl_idsize;

  bool sni = TRUE; /* default is SNI enabled */

#ifdef ENABLE_IPV6

  struct in6_addr addr;

#else

    failf(data, "GnuTLS does not support SSLv2");

    return CURLE_SSL_CONNECT_ERROR;

  }

  else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)

    sni = FALSE; /* SSLv3 has no SNI */

  /* allocate a cred struct */

  rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);

#ifdef ENABLE_IPV6

      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&

#endif

      sni &&

      (gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,

                              strlen(conn->host.name)) < 0))

    infof(data, "WARNING: failed to configure server name indication (SNI) "

  X509_LOOKUP *lookup=NULL;

  curl_socket_t sockfd = conn->sock[sockindex];

  struct ssl_connect_data *connssl = &conn->ssl[sockindex];

  bool sni = TRUE; /* default is SNI enabled */

#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

#ifdef ENABLE_IPV6

  struct in6_addr addr;

    break;

  case CURL_SSLVERSION_SSLv2:

    req_method = SSLv2_client_method();

    sni = FALSE;

    break;

  case CURL_SSLVERSION_SSLv3:

    req_method = SSLv3_client_method();

    sni = FALSE;

    break;

  }

#ifdef ENABLE_IPV6

      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&

#endif

      sni &&

      !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))

    infof(data, "WARNING: failed to configure server name indication (SNI) "

          "TLS extension\n");