While playing around with the DANE suppport in OpenSSL 1.1 I noticed that the TLS handshake will fail if I specify an empty name: SSL_dane_enable(ssl, "") (AFAICT no name is needed for DANE-TA(2) RRs).
This can also be reproduced using openssl s_client -servername "" ... The error I'm getting is: SSL3 alert read:fatal:decode error SSL_connect:error in SSLv3/TLS write client hello 694985564:error:1409441A:SSL routines:ssl3_read_bytes:reason(1050):record/rec_layer_s3.c:1346:SSL alert number 50 It seems an empty name should not be allowed: RFC 3546 3.1: opaque HostName<1..2^16-1>; Maybe SSL_set_tlsext_host_name() should return an error if an empty name is passed? PS: SSL_CTX_dane_enable.pod: =head1 SEE ALSO ... L<SSL_set_tlsext_host_name(3)>, but AFAICT that man page does not exist. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev