SNI disable by default on 1.0 and 1.1.0?

Michael Wojcik Michael.Wojcik at
Mon Dec 2 22:39:26 UTC 2019

> From: openssl-users [mailto:openssl-users-bounces at] On Behalf Of
> Viktor Dukhovni
> Sent: Monday, December 02, 2019 13:48
> To: openssl-users at
> Subject: Re: SNI disable by default on 1.0 and 1.1.0?
> SNI is not "disabled" in any of these versions, it is not just turned on
> by default in the s_client command-line utility (a testing tool).  The
> OpenSSL library does not by default turn on SNI in any of these
> releases. The application code has to call SSL_set_tlsext_host_name(3)
> in order to enable SNI.

And, indeed, how could it be otherwise? The value of the SNI extension should always be the peer name, as intended by the client. Is OpenSSL supposed to discern this by magic? The caller has to tell the library what value to put in the extension.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list