[Help-gnutls] Re: Unknown type '0' for SNI: 'foo.domain.bar'

Mon Aug 20 23:22:33 CEST 2007

Simon Josefsson <simon at josefsson.org> writes:

> "jesse keys" <jesse at teranetworks.de> writes:
>
>> Hi there,
>> first of all: thanks for making SNI possible!
>>
>> So far it's working great. However, i find
>>         [crit] GnuTLS: Unknown type '0' for SNI: 'my.domain.org'
>> errors in my apache error_log.
>>
>> Is it just because I use a bad (no wildcard) cert? Should I bother?
>> Couldn't find anything in the archives about it.
>
> I can't find anything close to that error message in GnuTLS.  How do you
> use GnuTLS together with Apache?  Possibly the problem can be found in
> that glue layer.  I'd be happy to review that code if you provide a
> pointer.

I found the error message, it is from mod_gnutls.  The cause is a
bug... and I'm not sure if it is in mod_gnutls or GnuTLS.  The code in
mod_gnutls is:

    rv = gnutls_server_name_get(ctxt->session, sni_name, 
                                &data_len, &sni_type, 0);
    
    if (rv != 0) {
        return NULL;
    }
    
    if (sni_type != GNUTLS_NAME_DNS) {
        ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
                     ctxt->c->base_server,
                     "GnuTLS: Unknown type '%d' for SNI: "
                     "'%s'", sni_type, sni_name);
        return NULL;
    }

This looks correct, but unfortunately, the value of GNUTLS_NAME_DNS is
1, and the RFC uses the value 0 for this, and that is the value that is
returned in the type variable from the gnutls_server_name_get function.

I think the simplest solution here is to fix the gnutls_server_name_get
function to +1 the type variable before returning it.  See patch below.
I haven't installed this yet, because I'm not sure we should solve it
this way.

Thanks for the report.  I'm happy to hear that people are trying to get
mod_gnutls to work.  Btw, some instructions that help new users:
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

/Simon

diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c
index f9ca429..3effb57 100644
--- a/lib/ext_server_name.c
+++ b/lib/ext_server_name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2002, 2003, 2004, 2005, 2007 Free Software Foundation
  *
  * Author: Nikos Mavroyanopoulos
  *
@@ -250,7 +250,7 @@ gnutls_server_name_get (gnutls_session_t session, void *data,
       return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
     }
 
-  *type = session->security_parameters.extensions.server_names[indx].type;
+  *type = session->security_parameters.extensions.server_names[indx].type + 1;
 
   if (*data_length >		/* greater since we need one extra byte for the null */
       session->security_parameters.extensions.server_names[indx].name_length)



