Should SSL_get_servername() depend on SNI callback (no-)ACK?

Stephen Farrell stephen.farrell at cs.tcd.ie
Tue Oct 22 17:39:59 UTC 2019


Hiya,

On 22/10/2019 17:09, Yann Ylavic wrote:
> Sorry for the shortcut, by "tlsext_hostname" I meant the name of the
> field in SSL_SESSION_ASN1.
> My observation is that when browsers resume a session, s->hit is set
> but s->session->ext.hostname is NULL, which I interpret as no SNI
> found in the SSL_SESSION (and thus no SNI encoded in the session
> ticket, presumably).
> On the other hand, the SNI is always in ClientHello (though there is
> no way to match it against the session's).

FWIW, I also had to play about a bit with that to get ESNI
working with tickets. I can chase down the bits of code for
that in my fork [1] if it's useful.

Cheers,
S.

[1] https://github.com/sftcd/openssl/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x5AB2FAF17B172BEA.asc
Type: application/pgp-keys
Size: 10715 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191022/7fb0e886/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191022/7fb0e886/attachment-0001.sig>


More information about the openssl-users mailing list