SNI disable by default on 1.0 and 1.1.0?

aeris aeris+openssl at
Mon Dec 2 20:05:33 UTC 2019

Hello here,

I try to compile 1.0.2t and 1.1.0l, but I notice SNI seems disabled by 
default, when it's enabled by default on 1.1.1d…

$ ./config enable-tlsext && make
$ echo -n "" | ./apps/openssl s_client -connect | ./apps/
openssl x509 -noout -subject  
subject= /CN=localhost # No SNI by default, default vhost, bad certificate
$ echo -n "" | ./apps/openssl s_client -connect -
servername | ./apps/openssl x509 -noout -subject  
subject= / # SNI, correct vhost, good certificate

$ ./config && make
$ echo -n "" | ./apps/openssl s_client -connect | ./apps/
openssl x509 -noout -subject  
subject= / # SNI by default, correct vhost, good certificate

According to changelog, enable-tlsext is available since 0.9.8f and by default 
since 0.9.8j, but seems something is wrong somewhere…
The observed behaviour breaks all applications which don't set SNI explicitly, 
hitting the default vhost and not the real content…
Is there any way to force SNI activation by default at build time on pre 1.1.1 
versions, like under 1.1.1d ?

Individual crypto-terrorist group self-radicalized on the digital darknet

Protect your privacy, encrypt your communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the openssl-users mailing list