[Bug 201446] Server name indication (sni) is not supported in base OpenSSL

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jul 10 00:23:59 UTC 2015


Xin LI <delphij at FreeBSD.org> changed:

           What    |Removed                     |Added
             Status|New                         |Closed
           Priority|---                         |Normal
           Assignee|freebsd-standards at FreeBSD.o |delphij at FreeBSD.org
                   |rg                          |
                 CC|                            |benl at FreeBSD.org,
                   |                            |delphij at FreeBSD.org,
                   |                            |freebsd-security at FreeBSD.or
                   |                            |g, jkim at FreeBSD.org,
                   |                            |re at FreeBSD.org
         Resolution|---                         |Overcome By Events

--- Comment #1 from Xin LI <delphij at FreeBSD.org> ---
This is a bug with OpenSSL since 1998 and fixed in 1.0.1n.

The bug is that default CApath is not consulted unless CAfile or CApath is also
supplied and loaded successfully.  This fix is OpenSSL changeset
fe9b85c3cb79f1e29e61f01de105b34ce8177190 .

The OpenSSL's SNI support worked just fine otherwise, in my testing.  If you
explicitly pass the right root CA's, it would also work.

This have been fixed in 10.2-RELEASE (currently 10.2-PRERELEASE and soon would
be 10.2-BETA1), but since this one affects only the testing program and it have
been there for more than a decade with this first complain, we can reasonably
consider it as a low impact one and therefore no EN is planned for it, so mark
this as "Overcome By Events".

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-standards mailing list