X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org EC64E385770B
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1683566751;
	bh=5+urYpKekwxhvlpvM2rzmgFlRHeZf800Fs85ZI0dqw0=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=mhA4K0f05FiBfGKlz76aNx710bzoRliGp6kOz1PsPYGBCf9w4THI5luN2XiiD1C8W
	u5BXspU7mmCbV4A/fC2647K/n06vtQOMF/nJsSzJCIS/G1nUrRtU4XssiXYBZjRs7X
	WgPVvRjvPuG1rG5zEvQtcauimpFBhd3hI6bf7QkE=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org A71753858D32
X-Authentication-Warning:	shell1.rawbw.com: Host
	c-73-202-23-161.hsd1.ca.comcast.net [73.202.23.161] claimed to be
	[192.168.5.3]
Message-ID:	<50324d46-b8e3-505b-1994-3cbeb754f064@tsoft.com>
Date:	Mon, 8 May 2023 10:25:25 -0700
MIME-Version:	1.0
User-Agent:	Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
	Thunderbird/102.10.1
Subject:	Re: OpenSSL failure in Cygwin: SSL_set_tlsext_host_name returns 1
	(SSL_TLSEXT_ERR_ALERT_WARNING)
To:	cygwin AT cygwin DOT com
References:	<b31136f2-3401-34a8-ba89-7528c906bcd3 AT tsoft DOT com>
	<70c086a9-4c9f-7cb3-f53a-86c4f9c2d056 AT Shaw DOT ca>
In-Reply-To:	<70c086a9-4c9f-7cb3-f53a-86c4f9c2d056@Shaw.ca>
X-Spam-Status:	No, score=-1.6 required=5.0 tests=BAYES_00, BODY_8BITS,
	KAM_DMARC_STATUS, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS, TXREP,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.29
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Yuri via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Yuri <yuri AT rawbw DOT com>
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 348HQE2P024570

On 5/8/23 08:31, Brian Inglis wrote:
> Which Cygwin, ssl/tls-devel libraries, and ca-certificates... packages 
> and versions are you using?

libssl-devel-1.1.1t-1

openssl-1.1.1t-1

ca-certificates-2021.2.60-1


>
>     $ man SSL_set_tlsext_host_name
>
> says SSL_set_tlsext_host_name etc. returns 1 for success, 0 for failure?

Yes. It looks like there is a coding error that they don't just check 
for 0 or 1, and check for 0 as a sign of success.

But this code, amazingly, works flawlessly on Linux/BSD.


>
> Web search TLS SNI and you will find that either the host presents a 
> list of certs none of which match the host name you are connecting to, 
> a matching cert cannot be validated, possibly due to a missing CA 
> chain, or one end could not handle the list presented or cert matched; 
> some hits offer diagnostic suggestions.
>


This program has a special variable no_check_cert_flag that allows to 
disable certificate check: 
https://github.com/proxytunnel/proxytunnel/blob/master/ptstream.c#L356

In my case the certificate is self-signed and this variable is activated.

On Linux the same invocation doesn't cause such failure.

Is this code incorrect?


I will report the incorrect use of SSL_set_tlsext_host_name to proxytunnel.



Yuri


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -