Hello here, I try to compile 1.0.2t and 1.1.0l, but I notice SNI seems disabled by default, when it's enabled by default on 1.1.1d… openssl-1.0.2t $ ./config enable-tlsext && make $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/ openssl x509 -noout -subject subject= /CN=localhost # No SNI by default, default vhost, bad certificate $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 - servername blog.imirhil.fr | ./apps/openssl x509 -noout -subject subject= /CN=blog.imirhil.fr # SNI, correct vhost, good certificate openssl-1.1.1d $ ./config && make $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/ openssl x509 -noout -subject subject= /CN=blog.imirhil.fr # SNI by default, correct vhost, good certificate According to changelog, enable-tlsext is available since 0.9.8f and by default since 0.9.8j, but seems something is wrong somewhere… The observed behaviour breaks all applications which don't set SNI explicitly, hitting the default vhost and not the real content… Is there any way to force SNI activation by default at build time on pre 1.1.1 versions, like under 1.1.1d ? Regards, -- aeris Individual crypto-terrorist group self-radicalized on the digital darknet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/
Attachment:
signature.asc
Description: This is a digitally signed message part.
