-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Derek Cole wrote:
CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem CApath=/Users/derek/cert_attempts/server/trusted/ [https] cert = /Users/derek/cert_attempts/server/domain.local.pem accept = 443 connect = 80 ;connect is the far-end openvpn connection
[exit1] sni = https:exit1.domain.local cert = /Users/derek/cert_attempts/server/exit1.domain.local.pem connect=ovpn1:16081
[exit2] sni = https:exit2.domain.local cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem connect=ovpn2:1195
I am trying to test whether this is working by using openssl s_client with something similar to the following:
openssl s_client -connect 10.22.1.219:443 http://10.22.1.219:443 -cert ./server/domain.local.pem -servername exit2.domain.local
Maybe I misunderstand - but why do I have to specify -servername there? I thought that if I specified -cert and it matched any of the cert= in my services that are in my stunnel configuration, it would automatically know to do that connect?
You confused SNI with the client certificate selection algorithm, which works more or less the way you described (for client certificates).
SNI allows selecting not only a server certificate (not a client certificate!), but also other options. SNI is intended to be used for name-based virtual servers.
Modern web browsers and stunnel (but not the s_client testing tool) automatically send your requested hostname in the SNI extension. When you connect to "exit1.domain.local" or "exit2.domain.local" those tools will automatically request the proper service.
Without the "-servername" option s_client does not send the SNI extension at all.
Mike