Commit 639d2e15 authored by Stephane Bortzmeyer's avatar Stephane Bortzmeyer
Browse files

* [DoT] Fix SNI to send the A-label when the name is an IDN

* [DoT] Fix connection to use the address, not the name
parent eff58cb8
......@@ -205,8 +205,9 @@ class Connection:
# May be loop over the results of getaddrinfo, to test all
# the IP addresses? See #13.
self.sock = socket.socket(addrinfo[0][0], socket.SOCK_STREAM)
self.addr = addrinfo[0][4]
if self.verbose:
print("Connecting to %s ..." % str(addrinfo[0][4]))
print("Connecting to %s ..." % str(self.addr))
# With typical DoT servers, we *must* use TLS 1.2 (otherwise,
# do_handshake fails with "OpenSSL.SSL.SysCallError: (-1, 'Unexpected
# EOF')" Typical HTTP servers are more lax.
......@@ -220,8 +221,8 @@ class Connection:
OpenSSL.SSL.VERIFY_CLIENT_ONCE,
lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
self.session = OpenSSL.SSL.Connection(self.context, self.sock)
self.session.set_tlsext_host_name(check.encode()) # Server Name Indication (SNI)
self.session.connect((self.server, 853))
self.session.set_tlsext_host_name(canonicalize(check).encode()) # Server Name Indication (SNI)
self.session.connect((self.addr))
# TODO We may here have exceptions such as OpenSSL.SSL.ZeroReturnError
self.session.do_handshake()
self.cert = self.session.get_peer_certificate()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment