> On Feb 13, 2017, at 11:13 AM, Matt Caswell <m...@openssl.org> wrote: > > I'd like to canvas opinion on this PR: > https://github.com/openssl/openssl/pull/2614 > > At the moment s_client does not add the SNI extension by default. You > have to explicitly ask for it using the "-servername" option.
So long as the "-servername" option remains in place and supports setting the SNI name to something other than the host part of the "-connect" option I think we provide sufficient compatibility with the legacy s_client CLI interface. Adding a "-noservername" option is compatible enough. The change of default behaviour is not an interface change, it is a behaviour change, and could even, with enough squinting, be viewed as a bugfix, given the modern TLS landscape. That said, even behaviour changes in stable releases do merit discussion. Certainly I would not support the proposed change in a patch release. For 1.1.1, I am not opposed, because s_client is not stunnel, it is primarily useful as a diagnostic tool, and while some monitoring tools built around it may behave differently as a result of the change, it is not clear that delaying to 1.2.x helps. If we're going to do this, I think that 1.1.1 is OK, if the interface remains compatible. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev