> On Nov 28, 2018, at 3:48 PM, Jeremy Harris <jgh@xxxxxxxxxxx> wrote: > > Using SSL_CTX_set_tlsext_servername_callback() > when the called routine returns SSL_TLSEXT_ERR_NOACK > I was expecting the handshake to fail. It carries > on; am I doing something wrong? For an SMTP server, SNI values that don't match are not unexpected, given that e.g. with DANE the DANE-aware clients will send the TLSA base domain, while non-DANE clients will send the original MX hostname, which may be different. So while it is interesting to test failing on SNI mismatch, please DO NOT fail handshakes on SNI mismatch in SMTP. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users