From 4320ba0d9f4b963f8b65eeffa65ab31da975281b Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Mon, 18 Apr 2016 16:17:31 -0700 Subject: [PATCH 1/2] Fix typo in error message Signed-off-by: Kevin Cernekee --- src/tlsdate-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index 877c67e..4202e90 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -1152,7 +1152,7 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) { if (-1 == stat(ca_cert_container, &statbuf)) { - die("Unable to stat CA certficate container %s", ca_cert_container); + die("Unable to stat CA certificate container %s", ca_cert_container); } else { switch (statbuf.st_mode & S_IFMT) From 4de0f12f92ddbb0c9db5d5ba0736cdba0fee37c5 Mon Sep 17 00:00:00 2001 From: Kevin Cernekee Date: Mon, 18 Apr 2016 16:17:45 -0700 Subject: [PATCH 2/2] Enable TLS SNI In environments where SSL interception is in place, the SNI field is often used to figure out whether to enable or disable interception for a new connection. Enable SNI on tlsdate requests. More background info: http://crbug.com/400429 Signed-off-by: Kevin Cernekee --- src/tlsdate-helper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index 4202e90..cbf6813 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -1187,6 +1187,7 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) } SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + SSL_set_tlsext_host_name(ssl, host); verb("V: opening socket to %s:%s", host, port); if ( (1 != BIO_set_conn_hostname(s_bio, host)) || (1 != BIO_set_conn_port(s_bio, port)) )