Hi,
> I think the next version may or may not contain the same client hello
> format if it allows i don't have any issues if it doesn't allows then
> the code may crash or it may return bad value for SNI. I just suggested
> it for safety reasons its just my input.
If HAproxy would crash, we would need to fix the actual reason of the
crash, not ignore SNI when TLS version is higher than 1.2, because an
attacker can always send packets with TLSv1.2 and the offending payload,
even if its not valid packet as per RFC.
As for bad values: SNI is a client provided value and thus must never
be trusted. We can use it for routing the request to different backends,
but we always need to validate it before doing something with it.
Regards,
Lukas
