CMP app and app_http_tls_cb(): pick the right TLS hostname (also without port)

Fixes #20031

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20034)

diff --git a/apps/cmp.c b/apps/cmp.c
index 6cd3d7e7c015e4e3371d559e4025c1ad0b0e086f..bfbfa9ce8ac0dcce36825dbc6fac1ccd5fd78492 100644 (file)
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1952,7 +1952,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
             goto err;
         (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
-        info->server = opt_server;
+        info->server = host;
         info->port = server_port;
         /* workaround for callback design flaw, see #17088: */
         info->use_proxy = proxy_host != NULL;

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 701ed6d7dcc52bfecd8c410f943ef547d58922a0..4a749b0df34792ba62de899a5b9625e0aaacfd25 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2529,6 +2529,10 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
     if (connect) {
         SSL *ssl;
         BIO *sbio = NULL;
+        X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx);
+        X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
+        const char *host = vpm == NULL ? NULL :
+            X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */);
 
         /* adapt after fixing callback design flaw, see #17088 */
         if ((info->use_proxy
@@ -2543,8 +2547,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
             return NULL;
         }
 
-        /* adapt after fixing callback design flaw, see #17088 */
-        SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
+        if (vpm != NULL)
+            SSL_set_tlsext_host_name(ssl, host /* may be NULL */);
 
         SSL_set_connect_state(ssl);
         BIO_set_ssl(sbio, ssl, BIO_CLOSE);