> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of > Viktor Dukhovni > Sent: Monday, December 02, 2019 13:48 > To: openssl-users@xxxxxxxxxxx > Subject: Re: SNI disable by default on 1.0 and 1.1.0? > > SNI is not "disabled" in any of these versions, it is not just turned on > by default in the s_client command-line utility (a testing tool). The > OpenSSL library does not by default turn on SNI in any of these > releases. The application code has to call SSL_set_tlsext_host_name(3) > in order to enable SNI. And, indeed, how could it be otherwise? The value of the SNI extension should always be the peer name, as intended by the client. Is OpenSSL supposed to discern this by magic? The caller has to tell the library what value to put in the extension. -- Michael Wojcik Distinguished Engineer, Micro Focus
