From 7dda96e69fc09fcb8dea6f3aa80cd144e8991eab Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 22 Nov 2012 08:03:28 +0000
Subject: [PATCH] Utilities::fetch(): Workaround for SSL SNI extension not
 being correctly set.

See: https://bugs.php.net/bug.php?id=63519

Thanks to Marco Ferrante for implementing this workaround!

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3205 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/Utilities.php | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index e6c80c4b3..6a902e092 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -2171,6 +2171,30 @@ class SimpleSAML_Utilities {
 			if (!isset($context['http']['request_fulluri'])) {
 				$context['http']['request_fulluri'] = TRUE;
 			}
+			// If the remote endpoint over HTTPS uses the SNI extension
+			// (Server Name Indication RFC 4366), the proxy could
+			// introduce a mismatch between the names in the
+			// Host: HTTP header and the SNI_server_name in TLS
+			// negotiation (thanks to Cristiano Valli @ GARR-IDEM
+			// to have pointed this problem).
+			// See: https://bugs.php.net/bug.php?id=63519
+			// These controls will force the same value for both fields.
+			// Marco Ferrante (marco@csita.unige.it), Nov 2012
+			if (preg_match('#^https#i', $path)
+				&& defined('OPENSSL_TLSEXT_SERVER_NAME')
+				&& OPENSSL_TLSEXT_SERVER_NAME) {
+				// Extract the hostname
+				$hostname = parse_url($path, PHP_URL_HOST);
+				if (!empty($hostname)) {
+					$context['ssl'] = array(
+						'SNI_server_name' => $hostname,
+						'SNI_enabled' => TRUE,
+						);
+				}
+				else {
+					SimpleSAML_Logger::warning('Invalid URL format or local URL used through a proxy');
+				}
+			}
 		}
 
 		$context = stream_context_create($context);
-- 
GitLab