SNI disable by default on 1.0 and 1.1.0?
Benjamin Kaduk
bkaduk at akamai.com
Mon Dec 2 20:52:55 UTC 2019
On Mon, Dec 02, 2019 at 09:05:33PM +0100, aeris wrote:
> Hello here,
>
> I try to compile 1.0.2t and 1.1.0l, but I notice SNI seems disabled by
> default, when it's enabled by default on 1.1.1d…
Please specify whether you are concerned about the s_client behavior specifically
or the libssl library behavior.
> openssl-1.0.2t
> $ ./config enable-tlsext && make
> $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/
> openssl x509 -noout -subject
> subject= /CN=localhost # No SNI by default, default vhost, bad certificate
> $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 -
> servername blog.imirhil.fr | ./apps/openssl x509 -noout -subject
> subject= /CN=blog.imirhil.fr # SNI, correct vhost, good certificate
>
> openssl-1.1.1d
> $ ./config && make
> $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/
> openssl x509 -noout -subject
> subject= /CN=blog.imirhil.fr # SNI by default, correct vhost, good certificate
>
> According to changelog, enable-tlsext is available since 0.9.8f and by default
> since 0.9.8j, but seems something is wrong somewhere…
> The observed behaviour breaks all applications which don't set SNI explicitly,
> hitting the default vhost and not the real content…
> Is there any way to force SNI activation by default at build time on pre 1.1.1
> versions, like under 1.1.1d ?
I think your tests are just finding the changes from https://github.com/openssl/openssl/pull/2614
but other applications using libssl still need to use the SSL_set_tlsext_host_name()
API in order to send the SNI extension.
-Ben
More information about the openssl-users
mailing list