On Fri, Nov 19, 2021 at 08:03:22PM +0100, Willy Tarreau wrote: > - since TLS early-data support was added, resumed connections could > cause a confusingly incorrect error to be reported if the strict-sni > was used or changed, because the session would still be accepted. This > affects 1.8 and above.
Not exactly, every non-matching SNI with strict-sni activated were causing a accidental "handshake failure" instead of a "unrecognized name". Because the clientHello callback was returning with a success code. The error was generated after the callback because openSSL couldn't finish the handshake. However, in the case of a resume, no error was reported, but openSSL didn't had any handshake to do, so the connection was still accepted even though the SNI wasn't matching. -- William Lallemand
