From 1d5d55a484ce05187cac25c3864cb4ddf7b6baf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Fri, 16 Oct 2009 22:06:22 +0000
Subject: [PATCH] Don't print ssl error if client didn't support TLS SNI

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2666 152afb58-edef-0310-8abb-c4023f1b3aa9
---
 NEWS          | 1 +
 src/network.c | 8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 13e18fb1..92ccf65f 100644
--- a/NEWS
+++ b/NEWS
@@ -59,6 +59,7 @@ NEWS
   * mod_fastcgi: Fix host->active_procs counter, return 503 if connect wasn't successful after 5 tries (fixes #1825)
   * mod_accesslog: escape special characters (fixes #1551, thx icy)
   * fix mod_webdav crash from #1793 (fixes #2048, thx hiroya)
+  * Don't print ssl error if client didn't support TLS SNI
 
 - 1.4.23 - 2009-06-19
   * Added some extra warning options in cmake and fix the resulting warnings (unused/static functions)
diff --git a/src/network.c b/src/network.c
index 1973256f..4b076184 100644
--- a/src/network.c
+++ b/src/network.c
@@ -72,8 +72,11 @@ static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
 	buffer_copy_string(con->uri.scheme, "https");
 
 	if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+#if 0
+		/* this "error" just means the client didn't support it */
 		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 				"failed to get TLS server name");
+#endif
 		return SSL_TLSEXT_ERR_NOACK;
 	}
 	buffer_copy_string(con->tlsext_server_name, servername);
@@ -87,15 +90,16 @@ static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
 	config_patch_connection(srv, con, COMP_HTTP_HOST);
 
 	if (NULL == con->conf.ssl_ctx) {
+		/* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */
 		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-				"null SSL_CTX for TLS server name", con->tlsext_server_name);
+			"null SSL_CTX for TLS server name", con->tlsext_server_name);
 		return SSL_TLSEXT_ERR_ALERT_FATAL;
 	}
 
 	/* switch to new SSL_CTX in reaction to a client's server_name extension */
 	if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
 		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
-				"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
+			"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
 		return SSL_TLSEXT_ERR_ALERT_FATAL;
 	}