On Mon, Dec 02, 2019 at 10:39:26PM +0000, Michael Wojcik wrote: > > SNI is not "disabled" in any of these versions, it is not just turned on > > by default in the s_client command-line utility (a testing tool). The > > OpenSSL library does not by default turn on SNI in any of these > > releases. The application code has to call SSL_set_tlsext_host_name(3) > > in order to enable SNI. > > And, indeed, how could it be otherwise? The value of the SNI extension > should always be the peer name, as intended by the client. Is OpenSSL > supposed to discern this by magic? The caller has to tell the library what > value to put in the extension. Well, OpenSSL does have some interfaces for connecting to a named host, and those could potentially enable SNI by default, but that is not yet the case, and is not necessarily appropriate in all cases. That said enabling SNI for the cases where OpenSSL is doing the name to IP resolution and setting up the socket is perhaps something that can be done in a future major release. -- Viktor.