Add support for client-side TLS "Server Name Indication" (SNI)

[rlebeau]

http://en.wikipedia.org/wiki/Server_Name_Indication

Per http://stackoverflow.com/questions/5113333/:

On the client side, you use SSL_set_tlsext_host_name(ssl, servername) before initiating the SSL connection.

On the server side, it's a little more complicated:

• Set up an additional SSL_CTX() for each different certificate;
• Add a servername callback to each SSL_CTX() using SSL_CTX_set_tlsext_servername_callback();
• In the callback, retrieve the client-supplied servername with SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name). Figure out the right SSL_CTX to go with that host name, then switch the SSL object to that SSL_CTX with SSL_set_SSL_CTX().

The s_client.c and s_server.c files in the apps/ directory of the OpenSSL source distribution implement this functionality, so they're a good resource to see how it should be done.

[rlebeau]

Client-side support for calling SSL_set_tlsext_host_name() when making an outbound SSL connection has been added to TIdSSLIOHandlerSocketOpenSSL in SVN rev 5321. Server-side support when accepting an inbound SSL connection has not been implemented yet.

On the client side, if TIdSSLIOHandlerSocktOpenSSL connects to an SSL/TLS server through a proxy, it is using the proxy's hostname for SNI instead of using the target server's hostname. This needs to be fixed. UPDATE: Client-side support for SNI through a proxy was added in SVN rev 5360.

Server-side SNI is still not implemented at this time. Opening new ticket IndySockets/IndyTLS-OpenSSL#15 for that.

[HeartWareDK]

Any progress to report on Server-Side SNI ?

[rlebeau]

Nothing that has been checked in yet. Some code changes were submitted to me awhile back ago, and I have incorporated them into my private dev copy of Indy, but I haven't had time to test and verify that things work before checking in to the public repository. I have no ETA on that at this time.