openssl: lowercase the hostname before using it for SNI

... because it turns out several servers out there don't actually behave correctly otherwise in spite of the fact that the SNI field is specifically said to be case insensitive in RFC 6066 section 3. Reported-by: David Earl Fixes #6540 Closes #6543
2025-04-18 16:30:45 +08:00 · 2021-01-28 20:16:55 +01:00 · 2021-01-28 20:16:55 +01:00 · 60de76e2ad
commit 60de76e2ad
parent 36ef64841d
1 changed files with 15 additions and 4 deletions
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -3189,10 +3189,21 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
 #ifdef ENABLE_IPV6
     (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) &&
 #endif
-     sni &&
-     !SSL_set_tlsext_host_name(backend->handle, hostname))
-    infof(data, "WARNING: failed to configure server name indication (SNI) "
-          "TLS extension\n");
+     sni) {
+    size_t nlen = strlen(hostname);
+    if((long)nlen >= data->set.buffer_size)
+      /* this is seriously messed up */
+      return CURLE_SSL_CONNECT_ERROR;
+
+    /* RFC 6066 section 3 says the SNI field is case insensitive, but browsers
+       send the data lowercase and subsequently there are now numerous servers
+       out there that don't work unless the name is lowercased */
+    Curl_strntolower(data->state.buffer, hostname, nlen);
+    data->state.buffer[nlen] = 0;
+    if(!SSL_set_tlsext_host_name(backend->handle, data->state.buffer))
+      infof(data, "WARNING: failed to configure server name indication (SNI) "
+            "TLS extension\n");
+  }
 #endif

  /* Check if there's a cached ID we can/should use here! */