Hi Guys,

I've got a small issue where I'm trying to use multiple SNI rules in an STunnel frontend:

STunnel Version is:

stunnel -version

stunnel 5.11 on x86_64-unknown-linux-gnu platform

Compiled/running with OpenSSL 1.0.1e 11 Feb 2013

Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

Global options:

debug = daemon.notice

RNDbytes = 64

RNDfile = /dev/urandom

RNDoverwrite = yes

Service-level options:

ciphers = FIPS (with "fips = yes")

ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no")

curve = prime256v1

options = NO_SSLv2

options = NO_SSLv3

sessionCacheSize = 1000

sessionCacheTimeout = 300 seconds

stack = 65536 bytes

TIMEOUTbusy = 300 seconds

TIMEOUTclose = 60 seconds

TIMEOUTconnect = 10 seconds

TIMEOUTidle = 43200 seconds

verify = none

stunnel.conf is:

[https]

accept = 443

connect = 80

[www_test]

sni = https:test.com

sni = https:www.test.com

connect = 192.168.64.220:80

[testing]

sni = https:testing.com

sni = https:www.testing.com

connect = 192.168.64.253:80

I've created local DNS rules for each of these Hosts but the problem is that only the last entered sni rule gets matched so for example www.test.com works but test.com does not. Its the same for testing.com and www.testing.com

This is what the log file show too:

2015.03.03 20:01:19 LOG7[12776]: Service [https] accepted (FD=21) from 192.168.63.50:53123

2015.03.03 20:01:19 LOG7[12808]: Service [https] started

2015.03.03 20:01:19 LOG5[12808]: Service [https] accepted connection from 192.168.63.50:53123

2015.03.03 20:01:19 LOG7[12808]: SSL state (accept): before/accept initialization

2015.03.03 20:01:19 LOG6[12808]: SNI: requested servername: testing.com

2015.03.03 20:01:19 LOG3[12808]: SNI: no pattern matched servername: testing.com

2015.03.03 20:01:19 LOG7[12808]: SSL alert (write): fatal: unrecognized name

2015.03.03 20:01:19 LOG3[12808]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext

2015.03.03 20:01:19 LOG5[12808]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

2015.03.03 20:01:19 LOG7[12808]: Local socket (FD=21) closed

2015.03.03 20:01:19 LOG7[12808]: Service [https] finished (7 left)

2015.03.03 20:01:29 LOG6[12805]: Read socket closed (readsocket)

2015.03.03 20:01:29 LOG7[12805]: Sending close_notify alert

2015.03.03 20:01:29 LOG7[12805]: SSL alert (write): warning: close notify

2015.03.03 20:01:29 LOG6[12805]: SSL_shutdown successfully sent close_notify alert

2015.03.03 20:01:30 LOG6[12805]: SSL socket closed (SSL_read)

2015.03.03 20:01:30 LOG7[12805]: Sent socket write shutdown

2015.03.03 20:01:30 LOG5[12805]: Connection closed: 485 byte(s) sent to SSL, 642 byte(s) sent to socket

2015.03.03 20:01:30 LOG7[12805]: Remote socket (FD=14) closed

2015.03.03 20:01:30 LOG7[12805]: Local socket (FD=13) closed

2015.03.03 20:01:30 LOG7[12805]: Service [www_test] finished (6 left)

2015.03.03 20:01:49 LOG7[12776]: Service [https] accepted (FD=13) from 192.168.63.50:53128

2015.03.03 20:01:49 LOG7[12809]: Service [https] started

2015.03.03 20:01:49 LOG5[12809]: Service [https] accepted connection from 192.168.63.50:53128

2015.03.03 20:01:49 LOG7[12809]: SSL state (accept): before/accept initialization

2015.03.03 20:01:49 LOG6[12809]: SNI: requested servername: testing.com

2015.03.03 20:01:49 LOG3[12809]: SNI: no pattern matched servername: testing.com

2015.03.03 20:01:49 LOG7[12809]: SSL alert (write): fatal: unrecognized name

2015.03.03 20:01:49 LOG3[12809]: SSL_accept: 1408A0E2: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext

2015.03.03 20:01:49 LOG5[12809]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

2015.03.03 20:01:49 LOG7[12809]: Local socket (FD=13) closed

2015.03.03 20:01:49 LOG7[12809]: Service [https] finished (6 left)

I have seen a couple of patch files floating around but they are for older versions and I can't get them to compile into the v5.11 version.

Any thoughts?

With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org

Tel (UK) - +44 (0) 3303801064 (24x7)

Tel (US) - +1 888.867.9504 (Toll Free)(24x7)