On Sun, Nov 21, 2021 at 01:11:13AM +0100, William Lallemand wrote: > On Fri, Nov 19, 2021 at 08:03:22PM +0100, Willy Tarreau wrote: > > - since TLS early-data support was added, resumed connections could > > cause a confusingly incorrect error to be reported if the strict-sni > > was used or changed, because the session would still be accepted. This > > affects 1.8 and above. > > Not exactly, every non-matching SNI with strict-sni activated were > causing a accidental "handshake failure" instead of a "unrecognized > name". Because the clientHello callback was returning with a success > code. The error was generated after the callback because openSSL > couldn't finish the handshake. > > However, in the case of a resume, no error was reported, but openSSL > didn't had any handshake to do, so the connection was still accepted > even though the SNI wasn't matching.
Thanks for clarifying and sorry for the confusion. Willy