From c5d1fb78fd0fdbe1f1e61211bd56192a0f95bc91 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Wed, 30 May 2018 11:12:22 -0500 Subject: [PATCH] Add TODO comment for a nonsensical public API The API used to set what SNI value to send in the ClientHello can also be used on server SSL objects, with undocumented and un-useful behavior. Unfortunately, when generic SSL_METHODs are used, s->server is still set, prior to the start of the handshake, so we cannot prevent this nonsensical usage at the present time. Leave a note to revisit this when ABI-breaking changes are permitted. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6378) --- ssl/s3_lib.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 354769b0c1..c170eed5e1 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3466,6 +3466,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: + /* + * TODO(OpenSSL1.2) + * This API is only used for a client to set what SNI it will request + * from the server, but we currently allow it to be used on servers + * as well, which is a programming error. Currently we just clear + * the field in SSL_do_handshake() for server SSLs, but when we can + * make ABI-breaking changes, we may want to make use of this API + * an error on server SSLs. + */ if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; -- 2.25.1