On Mon, Dec 02, 2019 at 09:05:33PM +0100, aeris wrote: > Hello here, > > I try to compile 1.0.2t and 1.1.0l, but I notice SNI seems disabled by > default, when it's enabled by default on 1.1.1d… Please specify whether you are concerned about the s_client behavior specifically or the libssl library behavior. > openssl-1.0.2t > $ ./config enable-tlsext && make > $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/ > openssl x509 -noout -subject > subject= /CN=localhost # No SNI by default, default vhost, bad certificate > $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 - > servername blog.imirhil.fr | ./apps/openssl x509 -noout -subject > subject= /CN=blog.imirhil.fr # SNI, correct vhost, good certificate > > openssl-1.1.1d > $ ./config && make > $ echo -n "" | ./apps/openssl s_client -connect blog.imirhil.fr:443 | ./apps/ > openssl x509 -noout -subject > subject= /CN=blog.imirhil.fr # SNI by default, correct vhost, good certificate > > According to changelog, enable-tlsext is available since 0.9.8f and by default > since 0.9.8j, but seems something is wrong somewhere… > The observed behaviour breaks all applications which don't set SNI explicitly, > hitting the default vhost and not the real content… > Is there any way to force SNI activation by default at build time on pre 1.1.1 > versions, like under 1.1.1d ? I think your tests are just finding the changes from https://github.com/openssl/openssl/pull/2614 but other applications using libssl still need to use the SSL_set_tlsext_host_name() API in order to send the SNI extension. -Ben
