To talk to a site that serves multiple names on a single IP address, the client needs to ask for the specific hostname it wants to talk to. Otherwise, the default certificate returned from the IP address may not match that of the host we wanted to talk to. Signed-off-by: Junio C Hamano <gitster@xxxxxxxxx> --- * I need help from people on this patch in two areas: (1) I only tested this patch by connecting to https://googlemail.com/ with $ git -c imap.host=imaps://googlemail.com -c imap.port=443 imap-send <this-patch.txt as it is the only site I knew clients needs to talk SNI to get the right certificate to verify; of course the port does not talk imap, and the only thing that is tested by that approach is we successfully establish an SSL/TLS connection. Without the patch, we fail to verify the certificate (we get a cert that is for another hostname that is hosted at the same IP address), and with the patch, we successfully get the right one. I would appreciate it if somebody knows an imap server that needs SNI and runs an end-to-end test against that server. (2) I do not know if everybody has SSL_set_tslext_host_name() macro defined, so this patch may be breaking build for people with different versions of OpenSSL. imap-send.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/imap-send.c b/imap-send.c index 171c887..d9abd8b 100644 --- a/imap-send.c +++ b/imap-send.c @@ -370,6 +370,15 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve return -1; } + /* + * SNI (RFC4366) + * OpenSSL does not document this function, but the implementation + * returns 1 on success, 0 on failure after calling SSLerr(). + */ + ret = SSL_set_tlsext_host_name(sock->ssl, server.host); + if (ret != 1) + warning("SSL_set_tslext_host_name(%s) failed.\n", server.host); + ret = SSL_connect(sock->ssl); if (ret <= 0) { socket_perror("SSL_connect", sock, ret); -- 1.8.2.rc0.106.ga6e4a61 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html