diff -up wget-1.13.4/src/gnutls.c.tls_sni_support wget-1.13.4/src/gnutls.c
--- wget-1.13.4/src/gnutls.c.tls_sni_support 2011-09-04 14:06:22.000000000 +0200
+++ wget-1.13.4/src/gnutls.c 2012-10-09 09:35:04.476172748 +0200
@@ -54,6 +54,8 @@ as that of the covered work. */
# include "w32sock.h"
#endif
+#include "host.h"
+
/* Note: some of the functions private to this file have names that
begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
confused with actual gnutls functions -- such as the gnutls_read
@@ -320,13 +322,21 @@ static struct transport_implementation w
};
bool
-ssl_connect_wget (int fd)
+ssl_connect_wget (int fd, const char *hostname)
{
struct wgnutls_transport_context *ctx;
gnutls_session session;
int err;
gnutls_init (&session, GNUTLS_CLIENT);
gnutls_set_default_priority (session);
+
+ /* We set the server name but only if it's not an IP address. */
+ if (! is_ip_address (hostname))
+ {
+ gnutls_server_name_set (session, GNUTLS_NAME_DNS,
+ hostname, strlen(hostname));
+ }
+
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
#ifndef FD_TO_SOCKET
# define FD_TO_SOCKET(X) (X)
diff -up wget-1.13.4/src/host.c.tls_sni_support wget-1.13.4/src/host.c
--- wget-1.13.4/src/host.c.tls_sni_support 2011-08-06 23:22:39.000000000 +0200
+++ wget-1.13.4/src/host.c 2012-10-09 09:32:48.245355889 +0200
@@ -914,3 +914,19 @@ host_cleanup (void)
host_name_addresses_map = NULL;
}
}
+
+/* Determine whether or not a hostname is an IP address that we recognise. */
+bool
+is_ip_address (const char *name)
+{
+ const char *endp;
+
+ endp = name + strlen(name);
+ if (is_valid_ipv4_address (name, endp))
+ return true;
+#ifdef ENABLE_IPV6
+ if (is_valid_ipv6_address (name, endp))
+ return true;
+#endif
+ return false;
+}
diff -up wget-1.13.4/src/host.h.tls_sni_support wget-1.13.4/src/host.h
--- wget-1.13.4/src/host.h.tls_sni_support 2011-01-01 13:12:35.000000000 +0100
+++ wget-1.13.4/src/host.h 2012-10-09 09:32:48.246355887 +0200
@@ -103,4 +103,6 @@ bool sufmatch (const char **, const char
void host_cleanup (void);
+bool is_ip_address (const char *);
+
#endif /* HOST_H */
diff -up wget-1.13.4/src/http.c.tls_sni_support wget-1.13.4/src/http.c
--- wget-1.13.4/src/http.c.tls_sni_support 2011-09-07 12:58:01.000000000 +0200
+++ wget-1.13.4/src/http.c 2012-10-09 09:37:07.532007301 +0200
@@ -1909,7 +1909,7 @@ gethttp (struct url *u, struct http_stat
if (conn->scheme == SCHEME_HTTPS)
{
- if (!ssl_connect_wget (sock))
+ if (!ssl_connect_wget (sock, u->host))
{
fd_close (sock);
return CONSSLERR;
diff -up wget-1.13.4/src/openssl.c.tls_sni_support wget-1.13.4/src/openssl.c
--- wget-1.13.4/src/openssl.c.tls_sni_support 2012-10-09 09:32:48.000000000 +0200
+++ wget-1.13.4/src/openssl.c 2012-10-09 09:39:05.382848841 +0200
@@ -50,6 +50,8 @@ as that of the covered work. */
# include <w32sock.h>
#endif
+#include "host.h"
+
/* Application-wide SSL context. This is common to all SSL
connections. */
static SSL_CTX *ssl_ctx;
@@ -433,7 +435,7 @@ ssl_connect_with_timeout_callback(void *
Returns true on success, false on failure. */
bool
-ssl_connect_wget (int fd)
+ssl_connect_wget (int fd, const char *hostname)
{
SSL *conn;
struct scwt_context scwt_ctx;
@@ -445,6 +447,20 @@ ssl_connect_wget (int fd)
conn = SSL_new (ssl_ctx);
if (!conn)
goto error;
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+ /* If the SSL library was build with support for ServerNameIndication
+ then use it whenever we have a hostname. If not, don't, ever. */
+ if (! is_ip_address (hostname))
+ {
+ if (! SSL_set_tlsext_host_name (conn, hostname))
+ {
+ DEBUGP (("Failed to set TLS server-name indication."));
+ goto error;
+ }
+ }
+#endif
+
#ifndef FD_TO_SOCKET
# define FD_TO_SOCKET(X) (X)
#endif
diff -up wget-1.13.4/src/ssl.h.tls_sni_support wget-1.13.4/src/ssl.h
--- wget-1.13.4/src/ssl.h.tls_sni_support 2011-01-01 13:12:35.000000000 +0100
+++ wget-1.13.4/src/ssl.h 2012-10-09 09:39:38.848803841 +0200
@@ -33,7 +33,7 @@ as that of the covered work. */
#define GEN_SSLFUNC_H
bool ssl_init (void);
-bool ssl_connect_wget (int);
+bool ssl_connect_wget (int, const char *);
bool ssl_check_certificate (int, const char *);
#endif /* GEN_SSLFUNC_H */