set SNI for VPN connection (#1167)

* set SNI for outbound TLS connection - it is a good practice to indicate SNI for target server Signed-off-by: ales stibal <[email protected]> * reformat to match origin style * if setting SNI fails, don't error, just warn and continue * nicer if statements :) Signed-off-by: ales stibal <[email protected]> * fix missing argument for log_warn * Change --no-sni to --sni * Option --sni requires a mandatory argument, a server name (SNI) to use during TLS handshake. * If omitted, openfortivpn will use the host argument instead. * Always set SNI during TLS handshake, using the SNI passed with option --sni, or the host argument. * Style fix --------- Signed-off-by: ales stibal <[email protected]> Co-authored-by: ales stibal <[email protected]>
adrienverge · Nov 14, 2023 · 91527f2 · 91527f2
1 parent 6a5a91f
commit 91527f2
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 1 deletion.
diff --git a/src/config.c b/src/config.c
@@ -52,6 +52,7 @@ const struct vpn_config invalid_cfg = {
 	.pinentry = NULL,
 	.realm = {'\0'},
 	.iface_name = {'\0'},
+	.sni = NULL,
 	.set_routes = -1,
 	.set_dns = -1,
 	.pppd_use_peerdns = -1,
@@ -298,6 +299,9 @@ int load_config(struct vpn_config *cfg, const char *filename)
 				continue;
 			}
 			cfg->set_dns = set_dns;
+		} else if (strcmp(key, "sni") == 0) {
+			free(cfg->sni);
+			cfg->sni = strdup(val);
 		} else if (strcmp(key, "set-routes") == 0) {
 			int set_routes = strtob(val);
 
@@ -536,6 +540,8 @@ void merge_config(struct vpn_config *dst, struct vpn_config *src)
 		strcpy(dst->realm, src->realm);
 	if (src->iface_name[0])
 		strcpy(dst->iface_name, src->iface_name);
+	if (src->sni[0])
+		strcpy(dst->sni, src->sni);
 	if (src->set_routes != invalid_cfg.set_routes)
 		dst->set_routes = src->set_routes;
 	if (src->set_dns != invalid_cfg.set_dns)

diff --git a/src/config.h b/src/config.h
@@ -98,6 +98,7 @@ struct vpn_config {
 	char			iface_name[IF_NAMESIZE];
 	char			realm[REALM_SIZE + 1];
 
+	char			*sni;
 	int			set_routes;
 	int			set_dns;
 	int			pppd_use_peerdns;

diff --git a/src/main.c b/src/main.c
@@ -125,7 +125,9 @@ PPPD_USAGE \
 "  --realm=<realm>               Use specified authentication realm.\n" \
 "  --ifname=<interface>          Bind to interface.\n" \
 "  --set-routes=[01]             Set if openfortivpn should configure routes\n" \
-"                                when tunnel is up.\n" \
+"                                when tunnel is up.\n"               \
+" --sni=<sni>                    Specify a different server name (SNI) than the host argument\n" \
+"                                during TLS handshake." \
 "  --no-routes                   Do not configure routes, same as --set-routes=0.\n" \
 "  --half-internet-routes=[01]   Add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher\n" \
 "                                priority instead of replacing the default route.\n" \
@@ -230,6 +232,7 @@ int main(int argc, char **argv)
 		.pinentry = NULL,
 		.realm = {'\0'},
 		.iface_name = {'\0'},
+		.sni = NULL,
 		.set_routes = 1,
 		.set_dns = 1,
 		.use_syslog = 0,
@@ -289,6 +292,7 @@ int main(int argc, char **argv)
 		{"no-ftm-push",          no_argument, &cli_cfg.no_ftm_push, 1},
 		{"ifname",               required_argument, NULL, 0},
 		{"set-routes",	         required_argument, NULL, 0},
+		{"sni",                  required_argument, NULL, 0},
 		{"no-routes",            no_argument, &cli_cfg.set_routes, 0},
 		{"half-internet-routes", required_argument, NULL, 0},
 		{"set-dns",              required_argument, NULL, 0},
@@ -516,6 +520,11 @@ int main(int argc, char **argv)
 				cli_cfg.iface_name[IF_NAMESIZE - 1] = '\0';
 				break;
 			}
+			if (strcmp(long_options[option_index].name,
+			           "sni") == 0) {
+				cli_cfg.sni = strdup(optarg);
+				break;
+			}
 			if (strcmp(long_options[option_index].name,
 			           "set-routes") == 0) {
 				int set_routes = strtob(optarg);

diff --git a/src/tunnel.c b/src/tunnel.c
@@ -1268,6 +1268,17 @@ int ssl_connect(struct tunnel *tunnel)
 	}
 	SSL_set_mode(tunnel->ssl_handle, SSL_MODE_AUTO_RETRY);
 
+
+	// Set SNI for the session
+	const char *sni = tunnel->config->sni ? tunnel->config->sni :
+	                  tunnel->config->gateway_host;
+	if (SSL_set_tlsext_host_name(tunnel->ssl_handle, sni) != 1)
+		log_warn("SSL_set_tlsext_host_name('%s'): %s\n",
+		         sni,
+		         ERR_error_string(ERR_peek_last_error(), NULL));
+	else
+		log_debug("Set SNU TLS handshake: %s\n", sni);
+
 	// Initiate SSL handshake
 	if (SSL_connect(tunnel->ssl_handle) != 1) {
 		log_error("SSL_connect: %s\n"