[openssl-dev] SNI by default in s_client
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Feb 13 18:58:05 UTC 2017
> On Feb 13, 2017, at 12:32 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>
> That said, I don't think that enabling SNI by default *in s_client* is
> sufficient cause to motivate such a feature. The s_client command adds
> new options from time to time, and IIRC we've never before back-ported
> these as NOPs. If an "ignore_unknown" option is warranted, it is for
> all the other new things we might add in addition to "-noservername".
One more thing I should note. The implementation should not break the
"-dane_tldsa_domain" option. That is, with no explicit "-servername"
and with "-dane_tlsa_domain", the SNI name must come from that option,
and not the "-connect" hostname.
--
Viktor.
More information about the openssl-dev
mailing list