Re: [openssl-users] SNI callback
> On Nov 28, 2018, at 3:48 PM, Jeremy Harris wrote: > > Using SSL_CTX_set_tlsext_servername_callback() > when the called routine returns SSL_TLSEXT_ERR_NOACK > I was expecting the handshake to fail. It carries > on; am I doing something wrong? For an SMTP server, SNI values that don't match are not unexpected, given that e.g. with DANE the DANE-aware clients will send the TLSA base domain, while non-DANE clients will send the original MX hostname, which may be different. So while it is interesting to test failing on SNI mismatch, please DO NOT fail handshakes on SNI mismatch in SMTP. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SNI callback
On 28/11/2018 21:03, Benjamin Kaduk via openssl-users wrote: > On Wed, Nov 28, 2018 at 08:48:10PM +, Jeremy Harris wrote: >> OpenSSL 1.1.1 FIPS 11 Sep 2018 >> RHEL 8.0 beta >> >> Using SSL_CTX_set_tlsext_servername_callback() >> when the called routine returns SSL_TLSEXT_ERR_NOACK >> I was expecting the handshake to fail. It carries >> on; am I doing something wrong? > > NOACK is basically "pretend that there wasn't a callback here"; > you should probably use SSL_TLSEXT_ERR_ALERT_FATAL to abort the > connection if you want the handshake to fail. Gotcha. - Thanks -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SNI callback
On Wed, Nov 28, 2018 at 08:48:10PM +, Jeremy Harris wrote: > OpenSSL 1.1.1 FIPS 11 Sep 2018 > RHEL 8.0 beta > > Using SSL_CTX_set_tlsext_servername_callback() > when the called routine returns SSL_TLSEXT_ERR_NOACK > I was expecting the handshake to fail. It carries > on; am I doing something wrong? NOACK is basically "pretend that there wasn't a callback here"; you should probably use SSL_TLSEXT_ERR_ALERT_FATAL to abort the connection if you want the handshake to fail. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SNI callback
OpenSSL 1.1.1 FIPS 11 Sep 2018 RHEL 8.0 beta Using SSL_CTX_set_tlsext_servername_callback() when the called routine returns SSL_TLSEXT_ERR_NOACK I was expecting the handshake to fail. It carries on; am I doing something wrong? -- Thanks, Jeremy -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users