Hi,
> I would suggest that it will not harm even if you relax the check for
> client hello too as the old client can using SSL 3.0 is still supported
> and its according to RFC
I disagree. SNI is documented as a TLS extension and unsupported in SSLv3.
RFC3546 and RFC6066 are the relevant RFCs, not RFC5246.
Try SSLv3 with SNI:
openssl s_client -connect localhost:443 -servername snitest -ssl3
The client_hello doesn't contain SNI, because TLS extensions are not
supported in SSLv3.
> and also note that the max supported TLS version is 3.3. I would suggest
> the below mentioned changes.
I disagree here also. Why should we limit the max supported TLS version and
introduce forward compatibility issues? We will just be a like those stupid
obsolete SSL middleboxes the browsers need to workaround everytime they
enable a new SSL feature. I would rather avoid that.
Regards,
Lukas
