> On Sun, Sep 23, 2018 at 10:14 AM, Nicolas Mailhot > <nicolas.mailhot@xxxxxxxxxxx> wrote: >> ??? That's not a Google choice, SNI is one of the >> Mandatory-to-Implement >> Extensions in TLS 1.3. You'll need it to connect to anything that >> claims >> TLS 1.3 (which will be everyone as soon as someone publishes a hole in >> TLS 1.2) >> >> Of course Google *was* heavily involved in the TLS 1.3 draft, and *is* >> working on obsoleting SNI as it exists today in favour of an encrypted >> variant. > > I didn't know that! > > In that case... well, that requires changes in all applications using > GnuTLS that don't already use gnutls_server_name_set(). They will > either need to call gnutls_server_name_set(), or else disable TLS > 1.3. Correct? If they want to be compatible with certain servers: | Additionally, all implementations MUST support the use of the | "server_name" extension with applications capable of using it. | Servers MAY require clients to send a valid "server_name" extension. | Servers requiring this extension SHOULD respond to a ClientHello | lacking a "server_name" extension by terminating the connection with | a "missing_extension" alert. <https://tools.ietf.org/html/rfc8446> There is no requirement in TLS 1.3 to actually send the SNI extension, which is why GNUTLS still negotiates TLS 1.3 even if no SNI has been configured by the application. To be honest, this looks like a misconfiguration of the Google servers. Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
