[openssl-dev] SSL_set_tlsext_host_name(ssl, "")
Claus Assmann
ca+ssl-dev at esmtp.org
Sat Jan 16 17:42:18 UTC 2016
While playing around with the DANE suppport in OpenSSL 1.1 I noticed
that the TLS handshake will fail if I specify an empty name:
SSL_dane_enable(ssl, "")
(AFAICT no name is needed for DANE-TA(2) RRs).
This can also be reproduced using
openssl s_client -servername "" ...
The error I'm getting is:
SSL3 alert read:fatal:decode error
SSL_connect:error in SSLv3/TLS write client hello
694985564:error:1409441A:SSL routines:ssl3_read_bytes:reason(1050):record/rec_layer_s3.c:1346:SSL alert number 50
It seems an empty name should not be allowed:
RFC 3546 3.1: opaque HostName<1..2^16-1>;
Maybe SSL_set_tlsext_host_name() should return an error if an empty
name is passed?
PS: SSL_CTX_dane_enable.pod:
=head1 SEE ALSO
...
L<SSL_set_tlsext_host_name(3)>,
but AFAICT that man page does not exist.
More information about the openssl-dev
mailing list