Yang Tse wrote:
> Nearly all TLS extensions introduce a lower security/privacy SSL
> framework than when not used at all. So TLS extensions should be
> explicitly requested and not turned on by default. The security
> considerations are described in RFC 4366 section 6.
>
>
This applies to the TLS middle layer, i.e. the SSL machinery, not to the
applications or next layer middleware.
Why must an application permit end users to turn on/off certain features?

In this particular case: The security risk is what in this case?

   If a single server hosts several domains, then clearly it is
   necessary for the owners of each domain to ensure that this satisfies
   their security needs. Apart from this, server_name does not appear
   to introduce significant security issues.

The SNI extension is an addressing hack above the TCP layer,
with a similar purpose as the Host: header since the mapping of
host name to IP address/port is not an injection.

BTW: I am not sure but the provided patch should verify whether the
host part of the URL is an IP address or a DNS name. Only DNS
names are supported by the extension.
The application, i.e. curl must also respect the issue of internationalized
DNS names, I am not sure whether this is an issue for curl.

-- 
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité; 
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.