X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EC64E385770B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1683566751;
	bh=5+urYpKekwxhvlpvM2rzmgFlRHeZf800Fs85ZI0dqw0=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=mhA4K0f05FiBfGKlz76aNx710bzoRliGp6kOz1PsPYGBCf9w4THI5luN2XiiD1C8W
	 u5BXspU7mmCbV4A/fC2647K/n06vtQOMF/nJsSzJCIS/G1nUrRtU4XssiXYBZjRs7X
	 WgPVvRjvPuG1rG5zEvQtcauimpFBhd3hI6bf7QkE=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A71753858D32
X-Authentication-Warning: shell1.rawbw.com: Host
 c-73-202-23-161.hsd1.ca.comcast.net [73.202.23.161] claimed to be
 [192.168.5.3]
Message-ID: <50324d46-b8e3-505b-1994-3cbeb754f064@tsoft.com>
Date: Mon, 8 May 2023 10:25:25 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.1
Subject: Re: OpenSSL failure in Cygwin: SSL_set_tlsext_host_name returns 1
 (SSL_TLSEXT_ERR_ALERT_WARNING)
Content-Language: en-US
To: cygwin AT cygwin DOT com
References: <b31136f2-3401-34a8-ba89-7528c906bcd3 AT tsoft DOT com>
 <70c086a9-4c9f-7cb3-f53a-86c4f9c2d056 AT Shaw DOT ca>
In-Reply-To: <70c086a9-4c9f-7cb3-f53a-86c4f9c2d056@Shaw.ca>
X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00, BODY_8BITS,
 KAM_DMARC_STATUS, NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Yuri via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Yuri <yuri AT rawbw DOT com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 348HQE2P024570

On 5/8/23 08:31, Brian Inglis wrote:
> Which Cygwin, ssl/tls-devel libraries, and ca-certificates... packages 
> and versions are you using?

libssl-devel-1.1.1t-1

openssl-1.1.1t-1

ca-certificates-2021.2.60-1


>
>     $ man SSL_set_tlsext_host_name
>
> says SSL_set_tlsext_host_name etc. returns 1 for success, 0 for failure?

Yes. It looks like there is a coding error that they don't just check 
for 0 or 1, and check for 0 as a sign of success.

But this code, amazingly, works flawlessly on Linux/BSD.


>
> Web search TLS SNI and you will find that either the host presents a 
> list of certs none of which match the host name you are connecting to, 
> a matching cert cannot be validated, possibly due to a missing CA 
> chain, or one end could not handle the list presented or cert matched; 
> some hits offer diagnostic suggestions.
>


This program has a special variable no_check_cert_flag that allows to 
disable certificate check: 
https://github.com/proxytunnel/proxytunnel/blob/master/ptstream.c#L356

In my case the certificate is self-signed and this variable is activated.

On Linux the same invocation doesn't cause such failure.

Is this code incorrect?


I will report the incorrect use of SSL_set_tlsext_host_name to proxytunnel.



Yuri


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple