[stunnel-users] SNI support in OpenSSL

Guillermo Rodriguez Garcia guille.rodriguez at gmail.com
Sun May 8 13:54:49 CEST 2016


Hello all,

The stunnel documentation says that SNI requires stunnel to be linked
with OpenSSL >= 1.0.0. However, SNI is supported in OpenSSL since
0.9.8f (and actually enabled by default since 0.9.8k).

For 0.9.8f and later, OPENSSL_NO_TLSEXT will be defined if TLS
extension support (including SNI support) is not compiled into
OpenSSL.

Taking the above into account, the OpenSSL version check in stunnel
(src/common.h) could be relaxed a bit. Instead of:

#if OPENSSL_VERSION_NUMBER<0x10000000L
#define OPENSSL_NO_TLSEXT
#define OPENSSL_NO_PSK
#endif /* OpenSSL older than 1.0.0 */

this could be:

#if OPENSSL_VERSION_NUMBER<0x00908060L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL older than 0.9.8f */

#if OPENSSL_VERSION_NUMBER<0x10000000L
#define OPENSSL_NO_PSK
#endif /* OpenSSL older than 1.0.0 */

This would enable SNI on systems using 0.9.8 (Mac OS X for example).

Best regards,

Guillermo Rodriguez Garcia
guille.rodriguez at gmail.com


More information about the stunnel-users mailing list