From: Benjamin Kaduk Date: Wed, 30 May 2018 16:12:22 +0000 (-0500) Subject: Add TODO comment for a nonsensical public API X-Git-Tag: OpenSSL_1_1_1-pre9~112 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c5d1fb78fd0fdbe1f1e61211bd56192a0f95bc91;p=oweals%2Fopenssl.git Add TODO comment for a nonsensical public API The API used to set what SNI value to send in the ClientHello can also be used on server SSL objects, with undocumented and un-useful behavior. Unfortunately, when generic SSL_METHODs are used, s->server is still set, prior to the start of the handshake, so we cannot prevent this nonsensical usage at the present time. Leave a note to revisit this when ABI-breaking changes are permitted. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6378) --- diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 354769b0c1..c170eed5e1 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3466,6 +3466,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: + /* + * TODO(OpenSSL1.2) + * This API is only used for a client to set what SNI it will request + * from the server, but we currently allow it to be used on servers + * as well, which is a programming error. Currently we just clear + * the field in SSL_do_handshake() for server SSLs, but when we can + * make ABI-breaking changes, we may want to make use of this API + * an error on server SSLs. + */ if (larg == TLSEXT_NAMETYPE_host_name) { size_t len;