[openssl-dev] SNI by default in s_client
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Feb 13 17:01:15 UTC 2017
> On Feb 13, 2017, at 11:13 AM, Matt Caswell <matt at openssl.org> wrote:
>
> I'd like to canvas opinion on this PR:
> https://github.com/openssl/openssl/pull/2614
>
> At the moment s_client does not add the SNI extension by default. You
> have to explicitly ask for it using the "-servername" option.
So long as the "-servername" option remains in place and supports
setting the SNI name to something other than the host part of the
"-connect" option I think we provide sufficient compatibility with
the legacy s_client CLI interface. Adding a "-noservername" option
is compatible enough.
The change of default behaviour is not an interface change, it is a
behaviour change, and could even, with enough squinting, be viewed
as a bugfix, given the modern TLS landscape.
That said, even behaviour changes in stable releases do merit
discussion. Certainly I would not support the proposed change in
a patch release. For 1.1.1, I am not opposed, because s_client
is not stunnel, it is primarily useful as a diagnostic tool, and
while some monitoring tools built around it may behave differently
as a result of the change, it is not clear that delaying to 1.2.x
helps. If we're going to do this, I think that 1.1.1 is OK, if the
interface remains compatible.
--
Viktor.
More information about the openssl-dev
mailing list