SNI disable by default on 1.0 and 1.1.0?
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Dec 2 20:48:29 UTC 2019
On Mon, Dec 02, 2019 at 09:05:33PM +0100, aeris wrote:
> I try to compile 1.0.2t and 1.1.0l, but I notice SNI seems disabled by
> default, when it's enabled by default on 1.1.1d…
SNI is not "disabled" in any of these versions, it is not just turned on
by default in the s_client command-line utility (a testing tool). The
OpenSSL library does not by default turn on SNI in any of these
releases. The application code has to call SSL_set_tlsext_host_name(3)
in order to enable SNI.
> The observed behaviour breaks all applications which don't set SNI explicitly,
> hitting the default vhost and not the real content…
Applications have to set SNI explicitly.
> Is there any way to force SNI activation by default at build time on pre 1.1.1
> versions, like under 1.1.1d ?
No, and the same applies to 1.1.1d.
--
Viktor.
More information about the openssl-users
mailing list