pasis
commented
4 years ago Thank you. Please, check the above comment.
Closed manuelkasper closed 4 years ago
pasis
commented
4 years ago Thank you. Please, check the above comment.
pasis
commented
4 years ago Merged, thanks.
In STARTTLS mode, the server can use the domainpart contained in the 'to' attribute of the initial stream header to determine which certificate to present (RFC 6210, 5.4.3.1.4). However, in “legacy” SSL mode, TLS SNI is needed to convey this information to the server. It shouldn't hurt to always set it.
Background information: I'm using libstrophe to connect to Firebase Cloud Messaging XMPP servers. After switching to OpenSSL 1.1.1, this gave me certificate verification errors. Turns out that SNI is required by Google servers when connecting with TLSv1.3, or they will present a fake certificate (OU = "No SNI provided; please fix your client.", CN = invalid2.invalid).