hi, the implementation of sni in openssl probaly does not correspond to the rfc. The rfc seems to allow to change the servername at any time in a client hello, and the servernamehello extension is wrong when the client has changed the servername (the name is not acknoledged but no client actually cares)
the code in t1_lib.c prohibits this. I am working on a fix according the following outline: The tests in parsing routine testing the previous values of ssl->session->tlsext_hostname and servername_done are removed. an existing host in ssl->session->tlsext_hostname needs to be replaced by the new value (if necessary). server_name done is in a correct way, i.e, signaling the non-presence of a callback back, or the call back pretending it. the servernameindication in the serverhello is send correctly and also for resumed sessions. I am tempted to remove (or at least rename) the servername_done variable in ssl, since it is not really necessary, i.e. its presence, i.e. the presence of the bug can be tested at compile/configure time by an application. only t1_lib.c code is affected. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
