On Mon, Feb 23, 2026 at 9:58 AM Dmitry Dolgov <9erthalion6@gmail.com> wrote:
> No deep reason, it was just useful for some particular experiments and
> for gathering understanding of what's going on. Would you find it
> reasonable to have both, shared groups and the negotiated group, or
> having only the latter is strictly better?
Well, take this with a grain of salt, because I tend to use tools
other than sslinfo for TLS debugging. But it seems to me that all of
the sslinfo functions cater to facts about the current connection: the
client certificate, the cipher, the protocol version.
These new functions instead focus on what *might* have been, which
makes them kind of awkward. Maybe sslinfo should be expanded to give
us those tools as well, but I wonder if handshake debugging might be a
better fit for some debug logging on the server side. Or if there
might be an overall feature here -- "why did the negotiation behave
this way?" -- that could be better served by something that's not a
new array of sslinfo functions that have to be correlated with each
other.
(Also, while I was taking a look at ssl_extension_info(), I realized
that it's focused on certificate extensions and not protocol
extensions. It's kind of unfortunately named.)
--Jacob
