SNI disable by default on 1.0 and 1.1.0?
aeris
aeris+openssl at imirhil.fr
Mon Dec 2 20:05:33 UTC 2019
Hello here,
I try to compile 1.0.2t and 1.1.0l, but I notice SNI seems disabled by
default, when it's enabled by default on 1.1.1d…
openssl-1.0.2t
$ ./config enable-tlsext && make
$ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/
openssl x509 -noout -subject
subject= /CN=localhost # No SNI by default, default vhost, bad certificate
$ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 -
servername blog.imirhil.fr | ./apps/openssl x509 -noout -subject
subject= /CN=blog.imirhil.fr # SNI, correct vhost, good certificate
openssl-1.1.1d
$ ./config && make
$ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/
openssl x509 -noout -subject
subject= /CN=blog.imirhil.fr # SNI by default, correct vhost, good certificate
According to changelog, enable-tlsext is available since 0.9.8f and by default
since 0.9.8j, but seems something is wrong somewhere…
The observed behaviour breaks all applications which don't set SNI explicitly,
hitting the default vhost and not the real content…
Is there any way to force SNI activation by default at build time on pre 1.1.1
versions, like under 1.1.1d ?
Regards,
--
aeris
Individual crypto-terrorist group self-radicalized on the digital darknet
https://imirhil.fr/
Protect your privacy, encrypt your communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://café-vie-privée.fr/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191202/8e15ea8c/attachment.sig>
More information about the openssl-users
mailing list