The branch master has been updated via 481afe2ad1325caf4beb0b9dee89cf69e7825e99 (commit) from 979874a208e2244e1e65533aaa31d7aa0cf00cc5 (commit)
- Log ----------------------------------------------------------------- commit 481afe2ad1325caf4beb0b9dee89cf69e7825e99 Author: Paul Yang <paulyang....@gmail.com> Date: Tue Jun 13 20:18:55 2017 +0800 Make SNI behavior more clear in s_client doc & help Update s_client -help and pod file. Signed-off-by: Paul Yang <paulyang....@gmail.com> Reviewed-by: Andy Polyakov <ap...@openssl.org> Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3654) ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 2 +- doc/man1/s_client.pod | 14 +++++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 663ab49..8af3853 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -651,7 +651,7 @@ const OPTIONS s_client_options[] = { "CA file for certificate verification (PEM format)"}, {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"}, {"servername", OPT_SERVERNAME, 's', - "Set TLS extension servername in ClientHello"}, + "Set TLS extension servername (SNI) in ClientHello (default)"}, {"noservername", OPT_NOSERVERNAME, '-', "Do not send the server name (SNI) extension in the ClientHello"}, {"tlsextdebug", OPT_TLSEXTDEBUG, '-', diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 5414ffa..9f6084d 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -159,16 +159,20 @@ Use IPv6 only. =item B<-servername name> Set the TLS SNI (Server Name Indication) extension in the ClientHello message to -the given value. +the given value. If both this option and the B<-noservername> are not given, the +TLS SNI extension is still set to the hostname provided to the B<-connect> option, +or "localhost" if B<-connect> has not been supplied. This is default since OpenSSL +1.1.1. + +Even though SNI name should normally be a DNS name and not an IP address, this +option will not make the distinction when parsing B<-connect> and will send +IP address if one passed. =item B<-noservername> Suppresses sending of the SNI (Server Name Indication) extension in the ClientHello message. Cannot be used in conjunction with the B<-servername> or -<-dane_tlsa_domain> options. If this option is not given then the hostname -provided to the B<-connect> option is used in the SNI extension, or "localhost" -if B<-connect> has not been supplied. Note that an SNI name should normally be a -DNS name and not an IP address. +<-dane_tlsa_domain> options. =item B<-cert certname> _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits