diff --git a/src/config.c b/src/config.c index aaaa6a32..b1c8bb35 100644 --- a/src/config.c +++ b/src/config.c @@ -52,7 +52,7 @@ const struct vpn_config invalid_cfg = { .pinentry = NULL, .realm = {'\0'}, .iface_name = {'\0'}, - .use_sni = -1, + .sni = {'\0'}, .set_routes = -1, .set_dns = -1, .pppd_use_peerdns = -1, @@ -299,15 +299,9 @@ int load_config(struct vpn_config *cfg, const char *filename) continue; } cfg->set_dns = set_dns; - } else if (strcmp(key, "use-sni") == 0) { - int use_sni = strtob(val); - - if (use_sni < 0) { - log_warn("Bad use-sni in configuration file: \"%s\".\n", - val); - continue; - } - cfg->use_sni = use_sni; + } else if (strcmp(key, "sni") == 0) { + free(cfg->sni); + cfg->sni = strdup(val); } else if (strcmp(key, "set-routes") == 0) { int set_routes = strtob(val); @@ -546,8 +540,8 @@ void merge_config(struct vpn_config *dst, struct vpn_config *src) strcpy(dst->realm, src->realm); if (src->iface_name[0]) strcpy(dst->iface_name, src->iface_name); - if (src->use_sni != invalid_cfg.use_sni) - dst->use_sni = src->use_sni; + if (src->sni[0]) + strcpy(dst->sni, src->sni); if (src->set_routes != invalid_cfg.set_routes) dst->set_routes = src->set_routes; if (src->set_dns != invalid_cfg.set_dns) diff --git a/src/config.h b/src/config.h index 4f0cccb5..0c5386b3 100644 --- a/src/config.h +++ b/src/config.h @@ -98,7 +98,7 @@ struct vpn_config { char iface_name[IF_NAMESIZE]; char realm[REALM_SIZE + 1]; - int use_sni; + char *sni; int set_routes; int set_dns; int pppd_use_peerdns; diff --git a/src/main.c b/src/main.c index 98149cea..41e5fbe6 100644 --- a/src/main.c +++ b/src/main.c @@ -126,7 +126,8 @@ PPPD_USAGE \ " --ifname= Bind to interface.\n" \ " --set-routes=[01] Set if openfortivpn should configure routes\n" \ " when tunnel is up.\n" \ -" --no-sni Do not send SNI in ClientHello, same as --use-sni=0.\n" \ +" --sni= Specify a different server name (SNI) than the host argument\n" \ +" during TLS handshake." \ " --no-routes Do not configure routes, same as --set-routes=0.\n" \ " --half-internet-routes=[01] Add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher\n" \ " priority instead of replacing the default route.\n" \ @@ -231,7 +232,7 @@ int main(int argc, char **argv) .pinentry = NULL, .realm = {'\0'}, .iface_name = {'\0'}, - .use_sni = 1, + .sni = NULL, .set_routes = 1, .set_dns = 1, .use_syslog = 0, @@ -291,7 +292,7 @@ int main(int argc, char **argv) {"no-ftm-push", no_argument, &cli_cfg.no_ftm_push, 1}, {"ifname", required_argument, NULL, 0}, {"set-routes", required_argument, NULL, 0}, - {"no-sni", no_argument, &cli_cfg.use_sni, 0}, + {"sni", required_argument, &cli_cfg.sni, 0}, {"no-routes", no_argument, &cli_cfg.set_routes, 0}, {"half-internet-routes", required_argument, NULL, 0}, {"set-dns", required_argument, NULL, 0}, @@ -520,16 +521,9 @@ int main(int argc, char **argv) break; } if (strcmp(long_options[option_index].name, - "use-sni") == 0) { - int use_sni = strtob(optarg); - - if (use_sni < 0) { - log_warn("Bad use-sni option: \"%s\"\n", - optarg); - break; - } - cli_cfg.use_sni = use_sni; - break; + "sni") == 0) { + cli_cfg.sni = strdup(optarg); + break; } if (strcmp(long_options[option_index].name, "set-routes") == 0) { diff --git a/src/tunnel.c b/src/tunnel.c index 0a7882a1..0d1bd92c 100644 --- a/src/tunnel.c +++ b/src/tunnel.c @@ -1270,15 +1270,14 @@ int ssl_connect(struct tunnel *tunnel) // Set SNI for the session - if (tunnel->config->use_sni) { - log_debug("SNI set: %s", tunnel->config->gateway_host); - - if (SSL_set_tlsext_host_name(tunnel->ssl_handle, tunnel->config->gateway_host) != 1) { - log_warn("SSL_set_tlsext_host_name('%s'): %s\n", - tunnel->config->gateway_host, - ERR_error_string(ERR_peek_last_error(), NULL)); - } - } + const char *sni = tunnel->config->sni ? \ + tunnel->config->sni : tunnel->config->gateway_host; + if (SSL_set_tlsext_host_name(tunnel->ssl_handle, sni) != 1) + log_warn("SSL_set_tlsext_host_name('%s'): %s\n", + sni, + ERR_error_string(ERR_peek_last_error(), NULL)); + else: + log_debug("Set SNU TLS handshake: %s\n", sni); // Initiate SSL handshake if (SSL_connect(tunnel->ssl_handle) != 1) {