Bug 174933 - konqueror does not send correct SNI hostname to https server
Summary: konqueror does not send correct SNI hostname to https server
Status: RESOLVED DUPLICATE of bug 122433
Alias: None
Product: kio
Classification: Frameworks and Libraries
Component: kssl (show other bugs)
Version: unspecified
Platform: unspecified Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-12 10:47 UTC by Alain Knaff
Modified: 2011-02-15 21:05 UTC (History)
7 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alain Knaff 2008-11-12 10:47:29 UTC
Version:           4.1.2 (KDE 4.1.2) (using 4.1.2 (KDE 4.1.2), 4.1.2-5.fc9 Fedora)
Compiler:          gcc
OS:                Linux (i686) release 2.6.26.6-79.fc9.i686

As seen by visiting the https://test1.gnutls.org/, https://test2.gnutls.org/ and https://test3.gnutls.org/ sites, konqueror seems to always send the same SNI identifier to all 3 sites (same Server DN line).

Firefox3 gets this right (different Server DN for each site).

Such functionality is needed in order to avoid spurious certificate hostname mismatch warnings when visiting https virtual hosts hosted on the same IP
Comment 1 Jakub Stachowski 2008-11-12 19:37:58 UTC
Fixing this requires Trolltech to add support for SNI in QSslSocket. Qt in turn relies on OpenSSL which should support SNI in version 0.9.9 (not released yet).
Comment 2 Alain Knaff 2008-11-12 20:04:58 UTC
According to the page at http://people.apache.org/~fuankg/diffs/httpd-2.2.x-sni.diff , SNI is supported starting from openssl version 0.9.8f which is out already (I've got 0.9.8g here on my Kubuntu box)
Comment 3 Daniel Black 2009-09-11 02:19:28 UTC
FYI Apache just released httpd 2.2.12 in July 2009 with full server side support for SNI.

The code required just after the SSL_new call. See the openssl apps/s_client.c code for an example:

SSL_new....

+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)                                                                                
+       /* If SNI isn't supported, we just don't call it and fail silently,                                                                              
+        * as there's not much else we can do.                                                                                                           
+        */                                                                                                                                              
+       if ((proto_version != SSL_VERSION_SSL2) && server_hostname)                                                                                  
+               SSL_set_tlsext_host_name(self->ssl, server_hostname);                                                                                    
+#endif 
(extracted from http://bugs.python.org/issue5639)

FYI a current SNI test site is https://sni.velox.ch/ which lists many common browsers supporting SNI.

tested with konqueror 4.3.1
Comment 4 Daniel Black 2009-09-11 02:26:45 UTC
see bug 122433
Comment 5 Daniel Black 2009-09-23 03:21:51 UTC
as per comment #1 here is the Qt merge request: http://qt.gitorious.org/qt/qt/merge_requests/1574
It doesn't depend on openssl 0.9.9 as some versions of 0.9.8 have it optionally and the last few releases have it enabled by default.

after looking at this closer this bug should be marked as a duplicate of 122433.
Comment 6 Michael Gorven 2010-05-12 15:37:34 UTC
*** This bug has been confirmed by popular vote. ***
Comment 7 David Faure 2011-02-15 21:05:34 UTC

*** This bug has been marked as a duplicate of bug 122433 ***