shithub: tlssrv.sni

Download patch

ref: 6738dec919708e91b5f9f8128791b29a562ef815
parent: 7d02c348ebdb936f8d51c7c78cdc83843a3d3aef
author: igor <igor@mux>
date: Sat Jan 28 19:18:46 EST 2023 

Check for client extensions before dealing with certificate.


--- a/tlshand.c
+++ b/tlshand.c
@@ -744,6 +744,12 @@
 		c->sec->psk = psk;
 		c->sec->psklen = psklen;
 	}
+	if(checkClientExtensions(c, m.u.clientHello.extensions) < 0)
+		goto Err;
+	if(trace)
+		trace("ClientHello server name indicator %s\n", c->serverName);
+    // TODO: implement function that selects the right certificate
+    // from an array of certificate names given the SNI
 	if(certlen > 0){
 		/* server certificate */
 		c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
@@ -757,10 +763,6 @@
 			goto Err;
 		}
 	}
-	if(checkClientExtensions(c, m.u.clientHello.extensions) < 0)
-		goto Err;
-	if(trace)
-		trace("ClientHello server name indicator %s\n", c->serverName);
 	cipher = okCipher(m.u.clientHello.ciphers, psklen > 0, c->sec->nc != nil);
 	if(cipher < 0 || !setAlgs(c, cipher)) {
 		tlsError(c, EHandshakeFailure, "no matching cipher suite");