From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by sourceware.org (Postfix) with ESMTP id A71753858D32 for ; Mon, 8 May 2023 17:25:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A71753858D32 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=rawbw.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=rawbw.com Received: from [192.168.5.3] (c-73-202-23-161.hsd1.ca.comcast.net [73.202.23.161]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id 348HPRNJ039119 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 8 May 2023 10:25:33 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-73-202-23-161.hsd1.ca.comcast.net [73.202.23.161] claimed to be [192.168.5.3] Message-ID: <50324d46-b8e3-505b-1994-3cbeb754f064@tsoft.com> Date: Mon, 8 May 2023 10:25:25 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 Subject: Re: OpenSSL failure in Cygwin: SSL_set_tlsext_host_name returns 1 (SSL_TLSEXT_ERR_ALERT_WARNING) Content-Language: en-US To: cygwin@cygwin.com References: <70c086a9-4c9f-7cb3-f53a-86c4f9c2d056@Shaw.ca> From: Yuri In-Reply-To: <70c086a9-4c9f-7cb3-f53a-86c4f9c2d056@Shaw.ca> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,BODY_8BITS,KAM_DMARC_STATUS,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 5/8/23 08:31, Brian Inglis wrote: > Which Cygwin, ssl/tls-devel libraries, and ca-certificates... packages > and versions are you using? libssl-devel-1.1.1t-1 openssl-1.1.1t-1 ca-certificates-2021.2.60-1 > >     $ man SSL_set_tlsext_host_name > > says SSL_set_tlsext_host_name etc. returns 1 for success, 0 for failure? Yes. It looks like there is a coding error that they don't just check for 0 or 1, and check for 0 as a sign of success. But this code, amazingly, works flawlessly on Linux/BSD. > > Web search TLS SNI and you will find that either the host presents a > list of certs none of which match the host name you are connecting to, > a matching cert cannot be validated, possibly due to a missing CA > chain, or one end could not handle the list presented or cert matched; > some hits offer diagnostic suggestions. > This program has a special variable no_check_cert_flag that allows to disable certificate check: https://github.com/proxytunnel/proxytunnel/blob/master/ptstream.c#L356 In my case the certificate is self-signed and this variable is activated. On Linux the same invocation doesn't cause such failure. Is this code incorrect? I will report the incorrect use of SSL_set_tlsext_host_name to proxytunnel. Yuri