Kalle Olavi Niemitalo <[email protected]> writes: > * Debian bug 528661: If using GNUTLS 2.1.7 or later, disable various > TLS extensions (including CERT and SERVERNAME) to help handshaking > with the SSLv3-only bugzilla.novell.com.
Disabling the SERVERNAME extension seems like a bad idea -- I believe Mozilla (and IE on Vista) enables it by default, and some sites may be using that to provide HTTPS virtual hosting. On the other hand, the elinks code used to send "localhost" as the SNI, which is even worse than not using the extension at all. So if you cannot send the proper server name (as entered by the user or from a HREF tag), it is better to disable the extension (as you have done). The best is to use the SERVERNAME extension and send the expected hostname, though. The problem with bugzilla.novell.com was that it didn't like TLSv1.1. It didn't have a problem with TLSv1.0 + extensions. (However, there may be _other_ servers out there that cannot handle TLS extensions...) /Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
