On Fri, Jun 16, 2017 at 07:49:16AM -0700, Kevin McArthur wrote: > Any chance of getting the SNI pass-through to verifyhost supported into the > next release? Bit of a security issue..
Unfortunately it cannot be backported since it doesn't exist at all in mainline. Someone has to figure out how to do it and to implement it first before it has a chance to exist in a maintenance branch. For the short term, I guess the easiest we could do would possibly be to at least emit a warning when SNI is configured on a server with verifyhost, indicating that it can represent a risk since the cert's names are not checked against the ones in the SNI. Then we can remove the warning when the check is implemented. Just my 2 cents, Willy
