On Sun, Nov 21, 2021 at 01:11:13AM +0100, William Lallemand wrote:
> On Fri, Nov 19, 2021 at 08:03:22PM +0100, Willy Tarreau wrote:
> > - since TLS early-data support was added, resumed connections could
> > cause a confusingly incorrect error to be reported if the strict-sni
> > was used or changed, because the session would still be accepted. This
> > affects 1.8 and above.
>
> Not exactly, every non-matching SNI with strict-sni activated were
> causing a accidental "handshake failure" instead of a "unrecognized
> name". Because the clientHello callback was returning with a success
> code. The error was generated after the callback because openSSL
> couldn't finish the handshake.
>
> However, in the case of a resume, no error was reported, but openSSL
> didn't had any handshake to do, so the connection was still accepted
> even though the SNI wasn't matching.
Thanks for clarifying and sorry for the confusion.
Willy
