[gnutls-help] telling gnutls-cli to avoid sending SNI

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 29 21:12:06 CET 2013

Sometimes I don't want gnutls-cli to send SNI.

The two ways i see to do this currently are:

 0) do the DNS resolution outside of gnutls-cli:

    gnutls-cli $(dig +short foo.example | head -n1)

 1) disable all TLS extensions:

   gnutls-cli --disable-extensions

The problem with (0) of course is that the certificate verification
fails because gnutls-cli doesn't know what to check for.

The problem with (1) is that sometimes i'd like to use other extensions
while avoiding SNI.  And gnutls-cli(1) claims it's deprecated:

> This option disables all TLS extensions. Deprecated option. Use the priority string.

But i don't see how to use the priority string to disable SNI itself.

src/cli.c doesn't seem to offer a way to do it:

  if (disable_extensions == 0)
      if (!isdigit(hostname[0]) && strchr(hostname, ':') == 0)
        gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
                                strlen (hostname));

I'm currently trying to make a patch for a --disable-sni flag to
gnutls-cli (does something like that sound useful?), but i seem to be
stumbling over some of the generated files that are committed to the git

The attached patch seems like the nice minimal thing to add, but then it
appears to be necessary to also do:

 cd src && autogen cli-args.def

But that creates a much larger and more opaque patch, and then compilation
fails (perhaps because my system has autogen 5.17.1 and the existing
other autogen'ed headers appear to be from autogen 5.16).

The compilation failure looks like this:

  CC     libcmd_cli_la-cli-args.lo
In file included from cli-args.c:44:0:
cli-args.h:62:3: error: #error option template version mismatches autoopts/options.h header
cli-args.h:63:3: error: unknown type name 'Choke'
cli-args.h:63:11: error: expected '=', ',', ';', 'asm' or '__attribute__' before '.' token
cli-args.h:117:3: warning: data definition has no type or storage class [enabled by default]
cli-args.h:117:3: warning: type defaults to 'int' in declaration of 'teOptIndex' [enabled by default]
cli-args.c:1190:29: error: 'INDEX_OPT_VERSION' undeclared here (not in a function)
cli-args.c:1204:29: error: 'INDEX_OPT_HELP' undeclared here (not in a function)
cli-args.c:1216:29: error: 'INDEX_OPT_MORE_HELP' undeclared here (not in a function)
cli-args.c: In function 'AO_gettext':
cli-args.c:1583:9: error: 'option_xlateable_txt' undeclared (first use in this function)
cli-args.c:1583:9: note: each undeclared identifier is reported only once for each function it appears in
cli-args.c: In function 'translate_option_strings':
cli-args.c:1622:9: error: 'option_xlateable_txt' undeclared (first use in this function)
make[4]: *** [libcmd_cli_la-cli-args.lo] Error 1
make[4]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/cdtemp.TdCJYy/gnutls'
make: *** [all] Error 2
2 dkg at alice:/tmp/cdtemp.TdCJYy/gnutls$ 

any ideas about how i should proceed with this?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: cli-disable-sni.patch
Type: text/x-diff
Size: 1560 bytes
Desc: add a --disable-sni option to gnutls-cli
URL: </pipermail/attachments/20130129/0bc30499/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: </pipermail/attachments/20130129/0bc30499/attachment-0001.pgp>

More information about the Gnutls-help mailing list