Re: SNI callback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Nov 28, 2018, at 3:48 PM, Jeremy Harris <jgh@xxxxxxxxxxx> wrote:
> 
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail.  It carries
> on; am I doing something wrong?

For an SMTP server, SNI values that don't match are not unexpected,
given that e.g. with DANE the DANE-aware clients will send the TLSA
base domain, while non-DANE clients will send the original MX hostname,
which may be different.

So while it is interesting to test failing on SNI mismatch, please DO NOT
fail handshakes on SNI mismatch in SMTP.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux