On Mon, Feb 23, 2026 at 9:58 AM Dmitry Dolgov <[email protected]> wrote: > No deep reason, it was just useful for some particular experiments and > for gathering understanding of what's going on. Would you find it > reasonable to have both, shared groups and the negotiated group, or > having only the latter is strictly better?
Well, take this with a grain of salt, because I tend to use tools other than sslinfo for TLS debugging. But it seems to me that all of the sslinfo functions cater to facts about the current connection: the client certificate, the cipher, the protocol version. These new functions instead focus on what *might* have been, which makes them kind of awkward. Maybe sslinfo should be expanded to give us those tools as well, but I wonder if handshake debugging might be a better fit for some debug logging on the server side. Or if there might be an overall feature here -- "why did the negotiation behave this way?" -- that could be better served by something that's not a new array of sslinfo functions that have to be correlated with each other. (Also, while I was taking a look at ssl_extension_info(), I realized that it's focused on certificate extensions and not protocol extensions. It's kind of unfortunately named.) --Jacob
