[openssl-dev] SNI by default in s_client
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Feb 13 17:32:19 UTC 2017
> On Feb 13, 2017, at 12:20 PM, Benjamin Kaduk <bkaduk at akamai.com> wrote:
>
> Perhaps a reasonable compromise would be to ensure that the -noservername option is accepted (as a noop) in 1.1.0<letter>, so that there is a way to write a script that remains compatible between 1.1.0 and 1.1.1 even if the default does change.
We could add a "-ignore_unknown" option, which (if specified first)
would more generally allow the CLI to ignore attempts to use features
only available in later versions. An environment variable could provide
another means to the same end.
That said, I don't think that enabling SNI by default *in s_client* is
sufficient cause to motivate such a feature. The s_client command adds
new options from time to time, and IIRC we've never before back-ported
these as NOPs. If an "ignore_unknown" option is warranted, it is for
all the other new things we might add in addition to "-noservername".
I'd be more concerned with potentially incompatible changes to cms(1),
enc(1), req(1), x509(1), ... which are the main day-to-day tools used
by users to get useful work done. The s_client(1) and s_server(1)
commands are diagnostic utilities, and such it is reasonable to be
less strict w.r.t. reasonable behaviour changes.
We should still provide a backwards compatible interface, but that
does not preclude reasonable differences in the resulting behaviour.
--
--
Viktor.
More information about the openssl-dev
mailing list