Merge pull request #2127 from Expensify/tyler-fix-ssl-2.28

tylerkaraszewski · web-flow · commit ac0147c10311 · 2025-03-12T10:48:20.000-07:00
Fix SNI on mbedtls 2.28.8
diff --git a/libstuff/SSSLState.cpp b/libstuff/SSSLState.cpp
@@ -22,7 +22,7 @@ SSSLState::~SSSLState() {
 }
 
 // --------------------------------------------------------------------------
-SSSLState* SSSLOpen(int s, SX509* x509) {
+SSSLState* SSSLOpen(int s, SX509* x509, const string& hostname) {
     // Initialize the SSL state
     SASSERT(s >= 0);
     SSSLState* state = new SSSLState;
@@ -37,6 +37,12 @@ SSSLState* SSSLOpen(int s, SX509* x509) {
     mbedtls_ssl_conf_rng(&state->conf, mbedtls_ctr_drbg_random, &state->ctr_drbg);
     mbedtls_ssl_set_bio(&state->ssl, &state->s, mbedtls_net_send, mbedtls_net_recv, 0);
 
+    if (hostname.size()) {
+        if (mbedtls_ssl_set_hostname(&state->ssl, hostname.c_str())) {
+            STHROW("ssl set hostname failed");
+        }
+    }
+
     if (x509) {
         // Add the certificate
         mbedtls_ssl_conf_ca_chain(&state->conf, x509->srvcert.next, 0);
diff --git a/libstuff/SSSLState.h b/libstuff/SSSLState.h
@@ -23,7 +23,7 @@ struct SSSLState {
 };
 
 // SSL helpers
-extern SSSLState* SSSLOpen(int s, SX509* x509);
+extern SSSLState* SSSLOpen(int s, SX509* x509, const string& hostname = "");
 extern int SSSLSend(SSSLState* ssl, const char* buffer, int length);
 extern int SSSLSend(SSSLState* ssl, const SFastBuffer& buffer);
 extern bool SSSLSendConsume(SSSLState* ssl, SFastBuffer& sendBuffer);
diff --git a/libstuff/STCPManager.cpp b/libstuff/STCPManager.cpp
@@ -212,7 +212,14 @@ STCPManager::Socket::Socket(const string& host, SX509* x509)
     if (s < 0) {
         STHROW("Couldn't open socket to " + host);
     }
-    ssl = x509 ? SSSLOpen(s, x509) : nullptr;
+
+    string domain;
+    if (x509) {
+        uint16_t port;
+        SParseHost(host, domain, port);
+    }
+
+    ssl = x509 ? SSSLOpen(s, x509, domain) : nullptr;
     SASSERT(!x509 || ssl);
 }
 
