* [DoT] Fix SNI to send the A-label when the name is an IDN

* [DoT] Fix connection to use the address, not the name

* [DoT] Fix SNI to send the A-label when the name is an IDN
* [DoT] Fix connection to use the address, not the name
639d2e15 · Stephane Bortzmeyer · eff58cb8 · 639d2e15
Commit 639d2e15 authored Dec 15, 2019 by Stephane Bortzmeyer
--- a/homer.py
+++ b/homer.py
@@ -205,8 +205,9 @@ class Connection:
            # May be loop over the results of getaddrinfo, to test all
            # the IP addresses? See #13.
            self.sock = socket.socket(addrinfo[0][0], socket.SOCK_STREAM)
+            self.addr = addrinfo[0][4]
            if self.verbose:
-                print("Connecting to %s ..." % str(addrinfo[0][4]))
+                print("Connecting to %s ..." % str(self.addr))
            # With typical DoT servers, we *must* use TLS 1.2 (otherwise,
            # do_handshake fails with "OpenSSL.SSL.SysCallError: (-1, 'Unexpected
            # EOF')" Typical HTTP servers are more lax.
@@ -220,8 +221,8 @@ class Connection:
                                        OpenSSL.SSL.VERIFY_CLIENT_ONCE,
                                        lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
            self.session = OpenSSL.SSL.Connection(self.context, self.sock)
-            self.session.set_tlsext_host_name(check.encode()) # Server Name Indication (SNI)
-            self.session.connect((self.server, 853))
+            self.session.set_tlsext_host_name(canonicalize(check).encode()) # Server Name Indication (SNI)
+            self.session.connect((self.addr))
            # TODO We may here have exceptions such as OpenSSL.SSL.ZeroReturnError
            self.session.do_handshake()
            self.cert = self.session.get_peer_certificate()