Hello, I have the following config on my stunnel server:
Dereks-MacBook-Pro:server derek$ cat server.conf
;setuid = stunnel setgid = nogroup foreground = yes pid = /etc/stunnel/stunnel.pid debug = 7 output = /etc/stunnel/stunnel.log options = NO_SSLv2 verify = 3 fips=no CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem CApath=/Users/derek/cert_attempts/server/trusted/ [https] cert = /Users/derek/cert_attempts/server/domain.local.pem accept = 443 connect = 80 ;connect is the far-end openvpn connection
[exit1] sni = https:exit1.domain.local cert = /Users/derek/cert_attempts/server/exit1.domain.local.pem connect=ovpn1:16081
[exit2] sni = https:exit2.domain.local cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem connect=ovpn2:1195
I am trying to test whether this is working by using openssl s_client with something similar to the following:
openssl s_client -connect 10.22.1.219:443 -cert ./server/domain.local.pem -servername exit2.domain.local
Maybe I misunderstand - but why do I have to specify -servername there? I thought that if I specified -cert and it matched any of the cert= in my services that are in my stunnel configuration, it would automatically know to do that connect? It seems like if I level off -servername entirely, it always defaults to https no matter what cert I specify, and if I do have -servername, it always goes to that SNI regardless of what cert I use (or whether that cert is even valid). All three of these .pem files were generated and signed by the same CA that I created, and they all contain the public and private key. What am I doing wrong here?
Thanks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Derek Cole wrote:
CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem CApath=/Users/derek/cert_attempts/server/trusted/ [https] cert = /Users/derek/cert_attempts/server/domain.local.pem accept = 443 connect = 80 ;connect is the far-end openvpn connection
[exit1] sni = https:exit1.domain.local cert = /Users/derek/cert_attempts/server/exit1.domain.local.pem connect=ovpn1:16081
[exit2] sni = https:exit2.domain.local cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem connect=ovpn2:1195
I am trying to test whether this is working by using openssl s_client with something similar to the following:
openssl s_client -connect 10.22.1.219:443 http://10.22.1.219:443 -cert ./server/domain.local.pem -servername exit2.domain.local
Maybe I misunderstand - but why do I have to specify -servername there? I thought that if I specified -cert and it matched any of the cert= in my services that are in my stunnel configuration, it would automatically know to do that connect?
You confused SNI with the client certificate selection algorithm, which works more or less the way you described (for client certificates).
SNI allows selecting not only a server certificate (not a client certificate!), but also other options. SNI is intended to be used for name-based virtual servers.
Modern web browsers and stunnel (but not the s_client testing tool) automatically send your requested hostname in the SNI extension. When you connect to "exit1.domain.local" or "exit2.domain.local" those tools will automatically request the proper service.
Without the "-servername" option s_client does not send the SNI extension at all.
Mike
-
Derek Cole -
Michal Trojnara