Merge branch 'candidate-8.2.x' into candidate-8.4.x

Signed-off-by: Richard Chapman <rchapman@hpccsystems.com>

common/thorhelper/thorsoapcall.cpp

@@ -1139,10 +1139,10 @@ public:
         CriticalBlock b(secureContextCrit);
         return ensureSecureContext(secureContext);
     }
-    ISecureSocket *createSecureSocket(ISocket *sock)
+    ISecureSocket *createSecureSocket(ISocket *sock, const char *fqdn = nullptr)
     {
         ISecureSocketContext *sc = (customClientCert) ? ensureSecureContext(customSecureContext) : ensureStaticSecureContext();
-        return sc->createSecureSocket(sock);
+        return sc->createSecureSocket(sock, SSLogNormal, fqdn);
     }
 #endif
     bool isTimeLimitExceeded(unsigned *_remainingMS)
@@ -2228,7 +2228,7 @@ public:
                         if (proto == PersistentProtocol::ProtoTLS)
                         {
 #ifdef _USE_OPENSSL
-                            Owned<ISecureSocket> ssock = master->createSecureSocket(socket.getClear());
+                            Owned<ISecureSocket> ssock = master->createSecureSocket(socket.getClear(), connUrl.host);
                             if (ssock)
                             {
                                 checkTimeLimitExceeded(&remainingMS);

esp/bindings/http/client/httpclient.cpp

@@ -309,7 +309,7 @@ int CHttpClient::connect(StringBuffer& errmsg, bool forceNewConnection)
 
             if(strcmp(m_protocol.get(), "HTTPS") == 0)
             {
-                ISecureSocket* securesocket = m_ssctx->createSecureSocket(m_socket);
+                ISecureSocket* securesocket = m_ssctx->createSecureSocket(m_socket, SSLogNormal, m_host.str());
                 int res = securesocket->secure_connect();
                 if(res < 0)
                 {

esp/test/httptest/httptest.cpp

@@ -516,7 +516,7 @@ int HttpClient::sendRequest(int times, HttpStat& stat, StringBuffer& req)
             socket.setown(ISocket::connect(ep));
             if(m_use_ssl && m_ssctx.get() != NULL)
             {
-                Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket.getLink());
+                Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket.getLink(), SSLogNormal, m_host.str());
                 int res = securesocket->secure_connect();
                 if(res >= 0)
                 {
@@ -846,7 +846,7 @@ int COneServerHttpProxyThread::start()
         socket2.setown(ISocket::connect(ep));
         if(m_use_ssl && m_ssctx != NULL)
         {
-            Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket2.getLink());
+            Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket2.getLink(), SSLogNormal, m_host.str());
             int res = securesocket->secure_connect();
             if(res >= 0)
             {

esp/tools/soapplus/http.cpp

@@ -1129,7 +1129,7 @@ public:
         
         if(m_ssctx != NULL)
         {
-            m_securesocket.setown(m_ssctx->createSecureSocket(m_sockfd));
+            m_securesocket.setown(m_ssctx->createSecureSocket(m_sockfd, SSLogNormal, address->m_fqdn.str()));
             int res = m_securesocket->secure_connect();
             if(res < 0)
             {
@@ -1759,7 +1759,7 @@ int HttpClient::sendRequest(StringBuffer& req, IFileIO* request_output, IFileIO*
         socket.setown(ISocket::connect(ep));
         if(m_ssctx.get() != NULL)
         {
-            Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket.getLink());
+            Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket.getLink(), SSLogNormal, m_host.str());
             int res = securesocket->secure_connect();
             if(res >= 0)
             {

esp/tools/soapplus/http.hpp

@@ -110,6 +110,7 @@ public:
     StringBuffer m_ip;
     int          m_port;
     struct sockaddr_in* m_addr;
+    StringBuffer m_fqdn;
 
     CAddress(const char* host, int port)
     {
@@ -123,6 +124,7 @@ public:
         IpAddress ip(host);
         ip.getIpText(m_ip);
         m_port = port;
+        m_fqdn.set(host);
 
     #ifndef _WIN32
         inet_pton(AF_INET, m_ip.str(), &(m_addr->sin_addr));

esp/tools/soapplus/httpproxy.cpp

@@ -198,7 +198,7 @@ int COneServerHttpProxyThread::start()
         if(m_use_ssl && m_ssctx != NULL)
         {
 #ifdef _USE_OPENSSL
-            Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket2.getLink());
+            Owned<ISecureSocket> securesocket = m_ssctx->createSecureSocket(socket2.getLink(), SSLogNormal, m_host.str());
             int res = securesocket->secure_connect();
             if(res >= 0)
             {

system/security/securesocket/securesocket.cpp

@@ -137,7 +137,7 @@ private:
     CStringSet* m_peers;
     int         m_loglevel;
     bool        m_isSecure;
-    size32_t    nextblocksize = 0;
+    StringBuffer m_fqdn;
     unsigned    blockflags = BF_ASYNC_TRANSFER;
     unsigned    blocktimeoutms = WAIT_FOREVER;
 #ifdef USERECVSEM
@@ -151,8 +151,8 @@ private:
 public:
     IMPLEMENT_IINTERFACE;
 
-    CSecureSocket(ISocket* sock, SSL_CTX* ctx, bool verify = false, bool addres_match = false, CStringSet* m_peers = NULL, int loglevel=SSLogNormal);
-    CSecureSocket(int sockfd, SSL_CTX* ctx, bool verify = false, bool addres_match = false, CStringSet* m_peers = NULL, int loglevel=SSLogNormal);
+    CSecureSocket(ISocket* sock, SSL_CTX* ctx, bool verify = false, bool addres_match = false, CStringSet* m_peers = NULL, int loglevel=SSLogNormal, const char *fqdn = nullptr);
+    CSecureSocket(int sockfd, SSL_CTX* ctx, bool verify = false, bool addres_match = false, CStringSet* m_peers = NULL, int loglevel=SSLogNormal, const char *fqdn = nullptr);
     ~CSecureSocket();
 
     virtual int secure_accept(int logLevel);
@@ -449,7 +449,7 @@ Semaphore CSecureSocket::receiveblocksem(2);
 /**************************************************************************
  *  CSecureSocket -- secure socket layer implementation using openssl     *
  **************************************************************************/
-CSecureSocket::CSecureSocket(ISocket* sock, SSL_CTX* ctx, bool verify, bool address_match, CStringSet* peers, int loglevel)
+CSecureSocket::CSecureSocket(ISocket* sock, SSL_CTX* ctx, bool verify, bool address_match, CStringSet* peers, int loglevel, const char *fqdn)
 {
     m_socket.setown(sock);
     m_ssl = SSL_new(ctx);
@@ -471,9 +471,12 @@ CSecureSocket::CSecureSocket(ISocket* sock, SSL_CTX* ctx, bool verify, bool addr
 #endif
 
     SSL_set_fd(m_ssl, sock->OShandle());
+
+    if (fqdn)
+        m_fqdn.set(fqdn);
 }
 
-CSecureSocket::CSecureSocket(int sockfd, SSL_CTX* ctx, bool verify, bool address_match, CStringSet* peers, int loglevel)
+CSecureSocket::CSecureSocket(int sockfd, SSL_CTX* ctx, bool verify, bool address_match, CStringSet* peers, int loglevel, const char *fqdn)
 {
     //m_socket.setown(sock);
     //m_socket.setown(ISocket::attach(sockfd));
@@ -496,6 +499,9 @@ CSecureSocket::CSecureSocket(int sockfd, SSL_CTX* ctx, bool verify, bool address
 #endif
 
     SSL_set_fd(m_ssl, sockfd);
+
+    if (fqdn)
+        m_fqdn.set(fqdn);
 }
 
 CSecureSocket::~CSecureSocket()
@@ -701,6 +707,12 @@ int CSecureSocket::secure_accept(int logLevel)
 
 int CSecureSocket::secure_connect(int logLevel)
 {
+    if (m_fqdn.length() > 0)
+    {
+        if (!streq(m_fqdn.str(), "."))
+            SSL_set_tlsext_host_name(m_ssl, m_fqdn.str());
+    }
+
     int err = SSL_connect (m_ssl);                     
     if(err <= 0)
     {
@@ -1329,14 +1341,14 @@ public:
         SSL_CTX_free(m_ctx);
     }
 
-    ISecureSocket* createSecureSocket(ISocket* sock, int loglevel)
+    ISecureSocket* createSecureSocket(ISocket* sock, int loglevel, const char *fqdn)
     {
-        return new CSecureSocket(sock, m_ctx, m_verify, m_address_match, m_peers, loglevel);
+        return new CSecureSocket(sock, m_ctx, m_verify, m_address_match, m_peers, loglevel, fqdn);
     }
 
-    ISecureSocket* createSecureSocket(int sockfd, int loglevel)
+    ISecureSocket* createSecureSocket(int sockfd, int loglevel, const char *fqdn)
     {
-        return new CSecureSocket(sockfd, m_ctx, m_verify, m_address_match, m_peers, loglevel);
+        return new CSecureSocket(sockfd, m_ctx, m_verify, m_address_match, m_peers, loglevel, fqdn);
     }
 };
 

system/security/securesocket/securesocket.hpp

@@ -56,8 +56,8 @@ interface ISecureSocket : implements ISocket
 // One instance per program running
 interface ISecureSocketContext : implements IInterface
 {
-    virtual ISecureSocket* createSecureSocket(ISocket* sock, int loglevel = SSLogNormal) = 0;
-    virtual ISecureSocket* createSecureSocket(int sockfd, int loglevel = SSLogNormal) = 0;
+    virtual ISecureSocket* createSecureSocket(ISocket* sock, int loglevel = SSLogNormal, const char *fqdn = nullptr) = 0;
+    virtual ISecureSocket* createSecureSocket(int sockfd, int loglevel = SSLogNormal, const char *fqdn = nullptr) = 0;
 };
 
 interface ICertificate : implements IInterface

tools/testsocket/testsocket.cpp

@@ -562,7 +562,7 @@ int doSendQuery(const char * ip, unsigned port, const char * base)
 #ifdef _USE_OPENSSL
                     if (!persistSecureContext)
                         persistSecureContext.setown(createSecureSocketContext(ClientSocket));
-                    persistSSock.setown(persistSecureContext->createSecureSocket(persistSocket.getClear()));
+                    persistSSock.setown(persistSecureContext->createSecureSocket(persistSocket.getClear(), SSLogNormal, ip));
                     int res = persistSSock->secure_connect();
                     if (res < 0)
                         throw MakeStringException(-1, "doSendQuery : Failed to establish secure connection");
@@ -582,7 +582,7 @@ int doSendQuery(const char * ip, unsigned port, const char * base)
             {
 #ifdef _USE_OPENSSL
                 secureContext.setown(createSecureSocketContext(ClientSocket));
-                Owned<ISecureSocket> ssock = secureContext->createSecureSocket(socket.getClear());
+                Owned<ISecureSocket> ssock = secureContext->createSecureSocket(socket.getClear(), SSLogNormal, ip);
                 int res = ssock->secure_connect();
                 if (res < 0)
                     throw MakeStringException(-1, "doSendQuery : Failed to establish secure connection");