SNI disable by default on 1.0 and 1.1.0?

Viktor Dukhovni openssl-users at
Mon Dec 2 23:13:36 UTC 2019

On Mon, Dec 02, 2019 at 10:39:26PM +0000, Michael Wojcik wrote:

> > SNI is not "disabled" in any of these versions, it is not just turned on
> > by default in the s_client command-line utility (a testing tool).  The
> > OpenSSL library does not by default turn on SNI in any of these
> > releases. The application code has to call SSL_set_tlsext_host_name(3)
> > in order to enable SNI.
> And, indeed, how could it be otherwise? The value of the SNI extension
> should always be the peer name, as intended by the client. Is OpenSSL
> supposed to discern this by magic? The caller has to tell the library what
> value to put in the extension.

Well, OpenSSL does have some interfaces for connecting to a named host, and
those could potentially enable SNI by default, but that is not yet the case,
and is not necessarily appropriate in all cases.

That said enabling SNI for the cases where OpenSSL is doing the
name to IP resolution and setting up the socket is perhaps
something that can be done in a future major release.


More information about the openssl-users mailing list