174933 – konqueror does not send correct SNI hostname to https server

Bug 174933 - konqueror does not send correct SNI hostname to https server

Summary: konqueror does not send correct SNI hostname to https server

Status:	RESOLVED DUPLICATE of bug 122433

Alias:	None

Product:	kio
Classification:	Unmaintained
Component:	kssl (show other bugs)
Version:	unspecified
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-11-12 10:47 UTC by Alain Knaff
Modified:	2011-02-15 21:05 UTC (History)
CC List:	7 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Alain Knaff 2008-11-12 10:47:29 UTC

Version:           4.1.2 (KDE 4.1.2) (using 4.1.2 (KDE 4.1.2), 4.1.2-5.fc9 Fedora)
Compiler:          gcc
OS:                Linux (i686) release 2.6.26.6-79.fc9.i686

As seen by visiting the https://test1.gnutls.org/, https://test2.gnutls.org/ and https://test3.gnutls.org/ sites, konqueror seems to always send the same SNI identifier to all 3 sites (same Server DN line).

Firefox3 gets this right (different Server DN for each site).

Such functionality is needed in order to avoid spurious certificate hostname mismatch warnings when visiting https virtual hosts hosted on the same IP

Comment 1 Jakub Stachowski 2008-11-12 19:37:58 UTC

Fixing this requires Trolltech to add support for SNI in QSslSocket. Qt in turn relies on OpenSSL which should support SNI in version 0.9.9 (not released yet).

Comment 2 Alain Knaff 2008-11-12 20:04:58 UTC

According to the page at http://people.apache.org/~fuankg/diffs/httpd-2.2.x-sni.diff , SNI is supported starting from openssl version 0.9.8f which is out already (I've got 0.9.8g here on my Kubuntu box)

Comment 3 Daniel Black 2009-09-11 02:19:28 UTC

FYI Apache just released httpd 2.2.12 in July 2009 with full server side support for SNI.

The code required just after the SSL_new call. See the openssl apps/s_client.c code for an example:

SSL_new....

+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)                                                                                
+       /* If SNI isn't supported, we just don't call it and fail silently,                                                                              
+        * as there's not much else we can do.                                                                                                           
+        */                                                                                                                                              
+       if ((proto_version != SSL_VERSION_SSL2) && server_hostname)                                                                                  
+               SSL_set_tlsext_host_name(self->ssl, server_hostname);                                                                                    
+#endif 
(extracted from http://bugs.python.org/issue5639)

FYI a current SNI test site is https://sni.velox.ch/ which lists many common browsers supporting SNI.

tested with konqueror 4.3.1

Comment 4 Daniel Black 2009-09-11 02:26:45 UTC

see bug 122433

Comment 5 Daniel Black 2009-09-23 03:21:51 UTC

as per comment #1 here is the Qt merge request: http://qt.gitorious.org/qt/qt/merge_requests/1574
It doesn't depend on openssl 0.9.9 as some versions of 0.9.8 have it optionally and the last few releases have it enabled by default.

after looking at this closer this bug should be marked as a duplicate of 122433.

Comment 6 Michael Gorven 2010-05-12 15:37:34 UTC

*** This bug has been confirmed by popular vote. ***

Comment 7 David Faure 2011-02-15 21:05:34 UTC


*** This bug has been marked as a duplicate of bug 122433 ***