Skip to content

Commit 6761324

Browse files
iequidooiequidoo
committed
feat: Disable SNI for STARTTLS (#7499)
Many clients don't send it currently, so it is unlikely that servers depend on it: https://mastodon.social/@cks/114690055923939576. For "implicit TLS", do not turn it off yet, it will serve as a fallback in case of rare server that needs it. If the server only supports STARTTLS and requires SNI then it is really weird, likely should not happen.
1 parent 8bce137 commit 6761324

File tree

6 files changed

+43
-6
lines changed

6 files changed

+43
-6
lines changed

src/imap/client.rs

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,7 @@ impl Client {
207207
hostname: &str,
208208
strict_tls: bool,
209209
) -> Result<Self> {
210+
let use_sni = true;
210211
let tcp_stream = connect_tcp_inner(addr).await?;
211212
let account_id = context.get_id();
212213
let events = context.events.clone();
@@ -215,6 +216,7 @@ impl Client {
215216
strict_tls,
216217
hostname,
217218
addr.port(),
219+
use_sni,
218220
alpn(addr.port()),
219221
logging_stream,
220222
&context.tls_session_store,
@@ -251,6 +253,7 @@ impl Client {
251253
host: &str,
252254
strict_tls: bool,
253255
) -> Result<Self> {
256+
let use_sni = false;
254257
let tcp_stream = connect_tcp_inner(addr).await?;
255258

256259
let account_id = context.get_id();
@@ -275,6 +278,7 @@ impl Client {
275278
strict_tls,
276279
host,
277280
addr.port(),
281+
use_sni,
278282
"",
279283
tcp_stream,
280284
&context.tls_session_store,
@@ -294,13 +298,15 @@ impl Client {
294298
strict_tls: bool,
295299
proxy_config: ProxyConfig,
296300
) -> Result<Self> {
301+
let use_sni = true;
297302
let proxy_stream = proxy_config
298303
.connect(context, domain, port, strict_tls)
299304
.await?;
300305
let tls_stream = wrap_tls(
301306
strict_tls,
302307
domain,
303308
port,
309+
use_sni,
304310
alpn(port),
305311
proxy_stream,
306312
&context.tls_session_store,
@@ -340,6 +346,7 @@ impl Client {
340346
proxy_config: ProxyConfig,
341347
strict_tls: bool,
342348
) -> Result<Self> {
349+
let use_sni = false;
343350
let proxy_stream = proxy_config
344351
.connect(context, hostname, port, strict_tls)
345352
.await?;
@@ -362,6 +369,7 @@ impl Client {
362369
strict_tls,
363370
hostname,
364371
port,
372+
use_sni,
365373
"",
366374
proxy_stream,
367375
&context.tls_session_store,

src/net.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,11 +131,13 @@ pub(crate) async fn connect_tls_inner(
131131
alpn: &str,
132132
tls_session_store: &TlsSessionStore,
133133
) -> Result<impl SessionStream + 'static> {
134+
let use_sni = true;
134135
let tcp_stream = connect_tcp_inner(addr).await?;
135136
let tls_stream = wrap_tls(
136137
strict_tls,
137138
host,
138139
addr.port(),
140+
use_sni,
139141
alpn,
140142
tcp_stream,
141143
tls_session_store,

src/net/http.rs

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -74,19 +74,33 @@ where
7474
}
7575
"https" => {
7676
let port = parsed_url.port_u16().unwrap_or(443);
77-
let load_cache = true;
77+
let (use_sni, load_cache) = (true, true);
7878

7979
if let Some(proxy_config) = proxy_config_opt {
8080
let proxy_stream = proxy_config
8181
.connect(context, host, port, load_cache)
8282
.await?;
83-
let tls_stream =
84-
wrap_rustls(host, port, "", proxy_stream, &context.tls_session_store).await?;
83+
let tls_stream = wrap_rustls(
84+
host,
85+
port,
86+
use_sni,
87+
"",
88+
proxy_stream,
89+
&context.tls_session_store,
90+
)
91+
.await?;
8592
Box::new(tls_stream)
8693
} else {
8794
let tcp_stream = crate::net::connect_tcp(context, host, port, load_cache).await?;
88-
let tls_stream =
89-
wrap_rustls(host, port, "", tcp_stream, &context.tls_session_store).await?;
95+
let tls_stream = wrap_rustls(
96+
host,
97+
port,
98+
use_sni,
99+
"",
100+
tcp_stream,
101+
&context.tls_session_store,
102+
)
103+
.await?;
90104
Box::new(tls_stream)
91105
}
92106
}

src/net/proxy.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -429,9 +429,11 @@ impl ProxyConfig {
429429
load_cache,
430430
)
431431
.await?;
432+
let use_sni = true;
432433
let tls_stream = wrap_rustls(
433434
&https_config.host,
434435
https_config.port,
436+
use_sni,
435437
"",
436438
tcp_stream,
437439
&context.tls_session_store,

src/net/tls.rs

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,14 @@ pub async fn wrap_tls<'a>(
1313
strict_tls: bool,
1414
hostname: &str,
1515
port: u16,
16+
use_sni: bool,
1617
alpn: &str,
1718
stream: impl SessionStream + 'static,
1819
tls_session_store: &TlsSessionStore,
1920
) -> Result<impl SessionStream + 'a> {
2021
if strict_tls {
21-
let tls_stream = wrap_rustls(hostname, port, alpn, stream, tls_session_store).await?;
22+
let tls_stream =
23+
wrap_rustls(hostname, port, use_sni, alpn, stream, tls_session_store).await?;
2224
let boxed_stream: Box<dyn SessionStream> = Box::new(tls_stream);
2325
Ok(boxed_stream)
2426
} else {
@@ -32,6 +34,7 @@ pub async fn wrap_tls<'a>(
3234
};
3335
let tls = async_native_tls::TlsConnector::new()
3436
.min_protocol_version(Some(async_native_tls::Protocol::Tlsv12))
37+
.use_sni(use_sni)
3538
.request_alpns(&alpns)
3639
.danger_accept_invalid_hostnames(true)
3740
.danger_accept_invalid_certs(true);
@@ -90,6 +93,7 @@ impl TlsSessionStore {
9093
pub async fn wrap_rustls<'a>(
9194
hostname: &str,
9295
port: u16,
96+
use_sni: bool,
9397
alpn: &str,
9498
stream: impl SessionStream + 'a,
9599
tls_session_store: &TlsSessionStore,
@@ -117,6 +121,7 @@ pub async fn wrap_rustls<'a>(
117121
let resumption = tokio_rustls::rustls::client::Resumption::store(resumption_store)
118122
.tls12_resumption(tokio_rustls::rustls::client::Tls12Resumption::Disabled);
119123
config.resumption = resumption;
124+
config.enable_sni = use_sni;
120125

121126
let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
122127
let name = rustls_pki_types::ServerName::try_from(hostname)?.to_owned();

src/smtp/connect.rs

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -228,13 +228,15 @@ async fn connect_secure_proxy(
228228
strict_tls: bool,
229229
proxy_config: ProxyConfig,
230230
) -> Result<Box<dyn SessionBufStream>> {
231+
let use_sni = true;
231232
let proxy_stream = proxy_config
232233
.connect(context, hostname, port, strict_tls)
233234
.await?;
234235
let tls_stream = wrap_tls(
235236
strict_tls,
236237
hostname,
237238
port,
239+
use_sni,
238240
alpn(port),
239241
proxy_stream,
240242
&context.tls_session_store,
@@ -253,6 +255,7 @@ async fn connect_starttls_proxy(
253255
strict_tls: bool,
254256
proxy_config: ProxyConfig,
255257
) -> Result<Box<dyn SessionBufStream>> {
258+
let use_sni = false;
256259
let proxy_stream = proxy_config
257260
.connect(context, hostname, port, strict_tls)
258261
.await?;
@@ -266,6 +269,7 @@ async fn connect_starttls_proxy(
266269
strict_tls,
267270
hostname,
268271
port,
272+
use_sni,
269273
"",
270274
tcp_stream,
271275
&context.tls_session_store,
@@ -316,6 +320,7 @@ async fn connect_starttls(
316320
strict_tls: bool,
317321
tls_session_store: &TlsSessionStore,
318322
) -> Result<Box<dyn SessionBufStream>> {
323+
let use_sni = false;
319324
let tcp_stream = connect_tcp_inner(addr).await?;
320325

321326
// Run STARTTLS command and convert the client back into a stream.
@@ -327,6 +332,7 @@ async fn connect_starttls(
327332
strict_tls,
328333
host,
329334
addr.port(),
335+
use_sni,
330336
"",
331337
tcp_stream,
332338
tls_session_store,

0 commit comments

Comments
 (0)