Hi,

I´ve found the SNI parameter at stunnel, but it doesn´t work at my Ubuntu 16.04.

My goal is, to use one dfn cert for the stunnel cert, which has 4 hostnames. This cert is on both servers. At the client server this cert works, because at the cert this is first hostname. At the second server I use the same cert, but it can´t be verified, because stunnel doesn´t recognize the correct hostname from the cert.

Can anyone send me an example for a working SNI configuration?

My Configs: Server one: client = yes cert = /etc/stunnel/cert.pem service = test debug = debug output = /var/log/stunnel4/stunnel.log foreground = no sslVersion = TLSv1 options = NO_SSLv3 options = NO_SSLv2 CAfile = /etc/ssl/web/chain.pem verify = 2 socket = r:TCP_NODELAY=1

[app1] accept = localhost:8090 connect = 10.1.2.1:8085´ ----- Server 2 (fails): client = no cert = /etc/stunnel/cert.pem service = test debug = debug output = /var/log/stunnel4/stunnel.log sslVersion = TLSv1 options = NO_SSLv3 options = NO_SSLv2 foreground = no CAfile = /etc/ssl/web/chain.pem verify = 2 socket = l:TCP_NODELAY=1

[ajp] accept = 8085 connect = 127.0.0.1:8009 --- Error: 2016.10.31 15:01:40 LOG7[9]: SNI: no virtual services defined 2016.10.31 15:01:40 LOG4[9]: CERT: Pre-verification error: unsupported certificate purpose

Regards,

Benjamin Hartwich Referat Basisdienste

Zentrum für Informationstechnologie und Medienmanagement

Universität Passau Innstr. 33, 94032 Passau Telefon +49 (0)851/509-3285, Telefax +49 (0)851/509-1802 E-Mail: benjamin.hartwich@uni-passau.de