SNI disable by default on 1.0 and 1.1.0?

Viktor Dukhovni openssl-users at
Mon Dec 2 20:48:29 UTC 2019

On Mon, Dec 02, 2019 at 09:05:33PM +0100, aeris wrote:

> I try to compile 1.0.2t and 1.1.0l, but I notice SNI seems disabled by 
> default, when it's enabled by default on 1.1.1d…

SNI is not "disabled" in any of these versions, it is not just turned on
by default in the s_client command-line utility (a testing tool).  The
OpenSSL library does not by default turn on SNI in any of these
releases. The application code has to call SSL_set_tlsext_host_name(3)
in order to enable SNI.

> The observed behaviour breaks all applications which don't set SNI explicitly, 
> hitting the default vhost and not the real content…

Applications have to set SNI explicitly.

> Is there any way to force SNI activation by default at build time on pre 1.1.1 
> versions, like under 1.1.1d ?

No, and the same applies to 1.1.1d.


More information about the openssl-users mailing list