[stunnel-users] Using SNI in stunnel server
Michal Trojnara
Michal.Trojnara at mirt.net
Fri Jun 13 07:35:48 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Derek Cole wrote:
> CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem
> CApath=/Users/derek/cert_attempts/server/trusted/ [https] cert =
> /Users/derek/cert_attempts/server/domain.local.pem accept = 443
> connect = 80 ;connect is the far-end openvpn connection
>
> [exit1] sni = https:exit1.domain.local cert =
> /Users/derek/cert_attempts/server/exit1.domain.local.pem
> connect=ovpn1:16081
>
> [exit2] sni = https:exit2.domain.local
> cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem
> connect=ovpn2:1195
>
>
> I am trying to test whether this is working by using openssl
> s_client with something similar to the following:
>
> openssl s_client -connect 10.22.1.219:443 <http://10.22.1.219:443>
> -cert ./server/domain.local.pem -servername exit2.domain.local
>
> Maybe I misunderstand - but why do I have to specify -servername
> there? I thought that if I specified -cert and it matched any of
> the cert= in my services that are in my stunnel configuration, it
> would automatically know to do that connect?
You confused SNI with the client certificate selection algorithm,
which works more or less the way you described (for client certificates).
SNI allows selecting not only a server certificate (not a client
certificate!), but also other options. SNI is intended to be used for
name-based virtual servers.
Modern web browsers and stunnel (but not the s_client testing tool)
automatically send your requested hostname in the SNI extension. When
you connect to "exit1.domain.local" or "exit2.domain.local" those
tools will automatically request the proper service.
Without the "-servername" option s_client does not send the SNI
extension at all.
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlOajbQACgkQ/NU+nXTHMtF+MACgxZANUX/RNSQ23wkDQ4tlvtFo
MwkAoNiIJ6PA4rbAStmE7FxtpJU89z01
=lBfS
-----END PGP SIGNATURE-----
More information about the stunnel-users
mailing list