Hello, I have the following config on my stunnel server:
Dereks-MacBook-Pro:server derek$ cat server.conf
;setuid = stunnel setgid = nogroup foreground = yes pid = /etc/stunnel/stunnel.pid debug = 7 output = /etc/stunnel/stunnel.log options = NO_SSLv2 verify = 3 fips=no CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem CApath=/Users/derek/cert_attempts/server/trusted/ [https] cert = /Users/derek/cert_attempts/server/domain.local.pem accept = 443 connect = 80 ;connect is the far-end openvpn connection
[exit1] sni = https:exit1.domain.local cert = /Users/derek/cert_attempts/server/exit1.domain.local.pem connect=ovpn1:16081
[exit2] sni = https:exit2.domain.local cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem connect=ovpn2:1195
I am trying to test whether this is working by using openssl s_client with something similar to the following:
openssl s_client -connect 10.22.1.219:443 -cert ./server/domain.local.pem -servername exit2.domain.local
Maybe I misunderstand - but why do I have to specify -servername there? I thought that if I specified -cert and it matched any of the cert= in my services that are in my stunnel configuration, it would automatically know to do that connect? It seems like if I level off -servername entirely, it always defaults to https no matter what cert I specify, and if I do have -servername, it always goes to that SNI regardless of what cert I use (or whether that cert is even valid). All three of these .pem files were generated and signed by the same CA that I created, and they all contain the public and private key. What am I doing wrong here?
Thanks