[openssl-users] SNI callback

Viktor Dukhovni openssl-users at dukhovni.org
Wed Nov 28 22:18:04 UTC 2018

> On Nov 28, 2018, at 3:48 PM, Jeremy Harris <jgh at wizmail.org> wrote:
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail.  It carries
> on; am I doing something wrong?

For an SMTP server, SNI values that don't match are not unexpected,
given that e.g. with DANE the DANE-aware clients will send the TLSA
base domain, while non-DANE clients will send the original MX hostname,
which may be different.

So while it is interesting to test failing on SNI mismatch, please DO NOT
fail handshakes on SNI mismatch in SMTP.


More information about the openssl-users mailing list