Change --no-sni to --sni

* Option --sni requires a mandatory argument, a server name (SNI) to use during TLS handshake. * If omitted, openfortivpn will use the host argument instead. * Always set SNI during TLS handshake, using the SNI passed with option --sni, or the host argument.
adrienverge · Nov 6, 2023 · df41fbf · df41fbf
1 parent 691cf27
commit df41fbf
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 39 deletions.
diff --git a/src/config.c b/src/config.c
@@ -52,7 +52,7 @@ const struct vpn_config invalid_cfg = {
 	.pinentry = NULL,
 	.realm = {'\0'},
 	.iface_name = {'\0'},
-        .use_sni = -1,
+	.sni = {'\0'},
 	.set_routes = -1,
 	.set_dns = -1,
 	.pppd_use_peerdns = -1,
@@ -299,16 +299,10 @@ int load_config(struct vpn_config *cfg, const char *filename)
 				continue;
 			}
 			cfg->set_dns = set_dns;
-                } else if (strcmp(key, "use-sni") == 0) {
-                        int use_sni = strtob(val);
-
-                        if (use_sni < 0) {
-                                log_warn("Bad use-sni in configuration file: \"%s\".\n",
-                                         val);
-                                continue;
-                        }
-                        cfg->use_sni = use_sni;
-                } else if (strcmp(key, "set-routes") == 0) {
+		} else if (strcmp(key, "sni") == 0) {
+			free(cfg->sni);
+			cfg->sni = strdup(val);
+		} else if (strcmp(key, "set-routes") == 0) {
 			int set_routes = strtob(val);
 
 			if (set_routes < 0) {
@@ -546,8 +540,8 @@ void merge_config(struct vpn_config *dst, struct vpn_config *src)
 		strcpy(dst->realm, src->realm);
 	if (src->iface_name[0])
 		strcpy(dst->iface_name, src->iface_name);
-    if (src->use_sni != invalid_cfg.use_sni)
-        dst->use_sni = src->use_sni;
+	if (src->sni[0])
+		strcpy(dst->sni, src->sni);
 	if (src->set_routes != invalid_cfg.set_routes)
 		dst->set_routes = src->set_routes;
 	if (src->set_dns != invalid_cfg.set_dns)

diff --git a/src/config.h b/src/config.h
@@ -98,7 +98,7 @@ struct vpn_config {
 	char			iface_name[IF_NAMESIZE];
 	char			realm[REALM_SIZE + 1];
 
-        int                     use_sni;
+	char			*sni;
 	int			set_routes;
 	int			set_dns;
 	int			pppd_use_peerdns;

diff --git a/src/main.c b/src/main.c
@@ -126,7 +126,8 @@ PPPD_USAGE \
 "  --ifname=<interface>          Bind to interface.\n" \
 "  --set-routes=[01]             Set if openfortivpn should configure routes\n" \
 "                                when tunnel is up.\n"               \
-"  --no-sni                      Do not send SNI in ClientHello, same as --use-sni=0.\n" \
+" --sni=<sni>                    Specify a different server name (SNI) than the host argument\n" \
+"                                during TLS handshake." \
 "  --no-routes                   Do not configure routes, same as --set-routes=0.\n" \
 "  --half-internet-routes=[01]   Add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher\n" \
 "                                priority instead of replacing the default route.\n" \
@@ -231,7 +232,7 @@ int main(int argc, char **argv)
 		.pinentry = NULL,
 		.realm = {'\0'},
 		.iface_name = {'\0'},
-		.use_sni = 1,
+		.sni = NULL,
 		.set_routes = 1,
 		.set_dns = 1,
 		.use_syslog = 0,
@@ -291,7 +292,7 @@ int main(int argc, char **argv)
 		{"no-ftm-push",          no_argument, &cli_cfg.no_ftm_push, 1},
 		{"ifname",               required_argument, NULL, 0},
 		{"set-routes",	         required_argument, NULL, 0},
-                {"no-sni",               no_argument, &cli_cfg.use_sni, 0},
+		{"sni",                  required_argument, &cli_cfg.sni, 0},
 		{"no-routes",            no_argument, &cli_cfg.set_routes, 0},
 		{"half-internet-routes", required_argument, NULL, 0},
 		{"set-dns",              required_argument, NULL, 0},
@@ -519,18 +520,11 @@ int main(int argc, char **argv)
 				cli_cfg.iface_name[IF_NAMESIZE - 1] = '\0';
 				break;
 			}
-                       if (strcmp(long_options[option_index].name,
-                                   "use-sni") == 0) {
-                                int use_sni = strtob(optarg);
-
-                                if (use_sni < 0) {
-                                    log_warn("Bad use-sni option: \"%s\"\n",
-                                             optarg);
-                                    break;
-                                }
-                                cli_cfg.use_sni = use_sni;
-                                break;
-                        } 
+			if (strcmp(long_options[option_index].name,
+			           "sni") == 0) {
+				cli_cfg.sni = strdup(optarg);
+				break;
+			} 
 			if (strcmp(long_options[option_index].name,
 			           "set-routes") == 0) {
 				int set_routes = strtob(optarg);

diff --git a/src/tunnel.c b/src/tunnel.c
@@ -1269,16 +1269,15 @@ int ssl_connect(struct tunnel *tunnel)
 	SSL_set_mode(tunnel->ssl_handle, SSL_MODE_AUTO_RETRY);
 
 
-        // Set SNI for the session
-        if (tunnel->config->use_sni) {
-            log_debug("SNI set: %s", tunnel->config->gateway_host);
-
-            if (SSL_set_tlsext_host_name(tunnel->ssl_handle, tunnel->config->gateway_host) != 1) {
-                log_warn("SSL_set_tlsext_host_name('%s'): %s\n",
-                         tunnel->config->gateway_host,
-                         ERR_error_string(ERR_peek_last_error(), NULL));
-            }
-        }
+	// Set SNI for the session
+	const char *sni = tunnel->config->sni ? \
+	                  tunnel->config->sni : tunnel->config->gateway_host;
+	if (SSL_set_tlsext_host_name(tunnel->ssl_handle, sni) != 1)
+		log_warn("SSL_set_tlsext_host_name('%s'): %s\n",
+		         sni,
+		         ERR_error_string(ERR_peek_last_error(), NULL));
+	else
+		log_debug("Set SNU TLS handshake: %s\n", sni);
 
 	// Initiate SSL handshake
 	if (SSL_connect(tunnel->ssl_handle) != 1) {