[openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

Kurt Roeckx kurt at roeckx.be
Thu Apr 19 19:19:41 UTC 2018

On Thu, Apr 19, 2018 at 09:15:19PM +0200, Kurt Roeckx wrote:
> It would also be nice that if the client sends an SNI and you have
> a certificate for it that it wouldn't select an anonymous cipher.
> But then postfix is probably the only one that does anonymous
> ciphers, and if it's not sending SNI this will not change much.

An alternative is that if you think the certificate should be
trusted by the peer you don't select an anonymous cipher.


More information about the openssl-project mailing list