[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Tue Jun 13 12:39:28 UTC 2017 

The branch master has been updated
       via  481afe2ad1325caf4beb0b9dee89cf69e7825e99 (commit)
      from  979874a208e2244e1e65533aaa31d7aa0cf00cc5 (commit)


- Log -----------------------------------------------------------------
commit 481afe2ad1325caf4beb0b9dee89cf69e7825e99
Author: Paul Yang <paulyang.inf at gmail.com>
Date:   Tue Jun 13 20:18:55 2017 +0800

    Make SNI behavior more clear in s_client doc & help
    
    Update s_client -help and pod file.
    
    Signed-off-by: Paul Yang <paulyang.inf at gmail.com>
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3654)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c       |  2 +-
 doc/man1/s_client.pod | 14 +++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 663ab49..8af3853 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -651,7 +651,7 @@ const OPTIONS s_client_options[] = {
      "CA file for certificate verification (PEM format)"},
     {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
     {"servername", OPT_SERVERNAME, 's',
-     "Set TLS extension servername in ClientHello"},
+     "Set TLS extension servername (SNI) in ClientHello (default)"},
     {"noservername", OPT_NOSERVERNAME, '-',
      "Do not send the server name (SNI) extension in the ClientHello"},
     {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 5414ffa..9f6084d 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -159,16 +159,20 @@ Use IPv6 only.
 =item B<-servername name>
 
 Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
-the given value.
+the given value. If both this option and the B<-noservername> are not given, the
+TLS SNI extension is still set to the hostname provided to the B<-connect> option,
+or "localhost" if B<-connect> has not been supplied. This is default since OpenSSL
+1.1.1.
+
+Even though SNI name should normally be a DNS name and not an IP address, this
+option will not make the distinction when parsing B<-connect> and will send
+IP address if one passed.
 
 =item B<-noservername>
 
 Suppresses sending of the SNI (Server Name Indication) extension in the
 ClientHello message. Cannot be used in conjunction with the B<-servername> or
-<-dane_tlsa_domain> options. If this option is not given then the hostname
-provided to the B<-connect> option is used in the SNI extension, or "localhost"
-if B<-connect> has not been supplied. Note that an SNI name should normally be a
-DNS name and not an IP address.
+<-dane_tlsa_domain> options.
 
 =item B<-cert certname>

More information about the openssl-commits mailing list