src/lib/https.c 288e4ca6da6169f1ab0fc77e897f869e0fa7d39c

288e4ca6da6169f1ab0fc77e897f869e0fa7d39c
galt
  Fri Dec 18 23:26:08 2015 -0800
Fixes #16554

diff --git src/lib/https.c src/lib/https.c
index 0d6112a..1a8f026 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -1,30 +1,31 @@
 /* Connect via https. */
 
 /* Copyright (C) 2012 The Regents of the University of California 
  * See README in this or parent directory for licensing information. */
 
 #ifdef USE_SSL
 
 #include "openssl/ssl.h"
 #include "openssl/err.h"
 
 #include <sys/socket.h>
 #include <unistd.h>
 #include <pthread.h>
 
 #include "common.h"
+#include "internet.h"
 #include "errAbort.h"
 #include "net.h"
 
 
 static pthread_mutex_t *mutexes = NULL;
  
 static unsigned long openssl_id_callback(void)
 {
 return ((unsigned long)pthread_self());
 }
  
 static void openssl_locking_callback(int mode, int n, const char * file, int line)
 {
 if (mode & CRYPTO_LOCK)
     pthread_mutex_lock(&mutexes[n]);
@@ -123,37 +124,50 @@
 
 // verify paths and mode.
 
 */
 
 
 sbio = BIO_new_ssl_connect(ctx);
 
 BIO_get_ssl(sbio, &ssl);
 if(!ssl) 
     {
     xerr("Can't locate SSL pointer");
     goto cleanup;
     }
 
+
+
 /* Don't want any retries since we are non-blocking bio now */
 //SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
 
 
 safef(hostnameProto,sizeof(hostnameProto),"%s:%d",params->hostName,params->port);
 BIO_set_conn_hostname(sbio, hostnameProto);
 
+/* 
+Server Name Indication (SNI)
+Required to complete tls ssl negotiation for systems which house multiple domains. (SNI)
+This is common when serving HTTPS requests with a wildcard certificate (*.domain.tld).
+This line will allow the ssl connection to send the hostname at tls negotiation time.
+It tells the remote server which hostname the client is connecting to.
+The hostname must not be an IP address.
+*/ 
+if (!internetIsDottedQuad(params->hostName))
+    SSL_set_tlsext_host_name(ssl,params->hostName);
+
 BIO_set_nbio(sbio, 1);     /* non-blocking mode */
 
 while (1) 
     {
     if (BIO_do_connect(sbio) == 1) 
 	{
 	break;  /* Connected */
 	}
     if (! BIO_should_retry(sbio)) 
 	{
 	xerr("BIO_do_connect() failed");
 	char s[256];	
 	safef(s, sizeof s, "SSL error: %s", ERR_reason_error_string(ERR_get_error()));
 	xerr(s);
 	goto cleanup;