While playing around with the DANE suppport in OpenSSL 1.1 I noticed
that the TLS handshake will fail if I specify an empty name:
SSL_dane_enable(ssl, "")
(AFAICT no name is needed for DANE-TA(2) RRs).

This can also be reproduced using
openssl s_client -servername "" ...

The error I'm getting is:
SSL3 alert read:fatal:decode error
SSL_connect:error in SSLv3/TLS write client hello
694985564:error:1409441A:SSL 
routines:ssl3_read_bytes:reason(1050):record/rec_layer_s3.c:1346:SSL alert 
number 50

It seems an empty name should not be allowed:
RFC 3546 3.1: opaque HostName<1..2^16-1>;

Maybe SSL_set_tlsext_host_name() should return an error if an empty
name is passed?

PS: SSL_CTX_dane_enable.pod:
=head1 SEE ALSO
...
L<SSL_set_tlsext_host_name(3)>,

but AFAICT that man page does not exist.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to