Ensure s_client sends an SNI extension by default

Enforcement of an SNI extension in the initial ClientHello is becoming
increasingly common (e.g. see GitHub issue #2580). This commit changes
s_client so that it adds SNI be default, unless explicitly told not to via
the new "-noservername" option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2614)

1 files changed, 12 insertions, 1 deletions

diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index cc2ad4f1f2..16538567bc 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -14,6 +14,7 @@ B<openssl> B<s_client>
 [B<-4>]
 [B<-6>]
 [B<-servername name>]
+[B<-noservername>]
 [B<-verify depth>]
 [B<-verify_return_error>]
 [B<-cert filename>]
@@ -156,7 +157,17 @@ Use IPv6 only.
 
 =item B<-servername name>
 
-Set the TLS SNI (Server Name Indication) extension in the ClientHello message.
+Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
+the given value.
+
+=item B<-noservername>
+
+Suppresses sending of the SNI (Server Name Indication) extension in the
+ClientHello message. Cannot be used in conjunction with the B<-servername> or
+<-dane_tlsa_domain> options. If this option is not given then the hostname
+provided to the B<-connect> option is used in the SNI extension, or "localhost"
+if B<-connect> has not been supplied. Note that an SNI name should normally be a
+DNS name and not an IP address.
 
 =item B<-cert certname>