OpenSSL regression when a servername callback is set

Dmitry Belyavsky beldmit at
Fri Jul 16 12:37:23 UTC 2021

Hello openssl-users,

We came across a change in OpenSSL 1.1.1j that has introduced a regression. and introduced the behaviour
change: when servername callback is set, we suppose that we are
TLS1.3-capable (see as

When server has a secret key that is incompatible with TLS 1.3 (in our test
setup it was DSA, but we expect the same behavior with, e.g, Brainpool
curves) set in httpd, when connecting to it via s_client, we get an alert
in response to a ClientHello.

It can be invisible for end-users because of downgrade dance, but I wonder
if we have any real-life cases.

The relevant GH issue is

Many thanks!
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list