[stunnel-users] Use SNI

Benjamin Hartwich Benjamin.Hartwich at Uni-Passau.De
Mon Oct 31 15:10:09 CET 2016


Hi,

I´ve found the SNI parameter at stunnel, but it doesn´t work at my
Ubuntu 16.04. 

My goal is, to use one dfn cert for the stunnel cert, which has 4
hostnames. This cert is on both servers. At the client server this
cert
works, because at the cert this is first hostname. At the second
server
I use the same cert, but it can´t be verified, because stunnel doesn´t
recognize the correct hostname from the cert. 

Can anyone send me an example for a working SNI configuration?

My Configs:
Server one:
 client = yes
 cert = /etc/stunnel/cert.pem
 service = test
 debug = debug
 output = /var/log/stunnel4/stunnel.log
 foreground = no
 sslVersion = TLSv1
 options = NO_SSLv3
 options = NO_SSLv2
 CAfile = /etc/ssl/web/chain.pem
 verify = 2
 socket = r:TCP_NODELAY=1

 [app1]
 accept = localhost:8090
 connect = 10.1.2.1:8085´
-----
Server 2 (fails):
 client = no
 cert = /etc/stunnel/cert.pem
 service = test
 debug = debug
 output = /var/log/stunnel4/stunnel.log
 sslVersion = TLSv1
 options = NO_SSLv3
 options = NO_SSLv2
 foreground = no
 CAfile = /etc/ssl/web/chain.pem
 verify = 2
 socket = l:TCP_NODELAY=1

 [ajp]
 accept =  8085
 connect = 127.0.0.1:8009
---
Error:
2016.10.31 15:01:40 LOG7[9]: SNI: no virtual services defined
2016.10.31 15:01:40 LOG4[9]: CERT: Pre-verification error: unsupported
certificate purpose

Regards,

Benjamin Hartwich
Referat Basisdienste
 
Zentrum für Informationstechnologie und Medienmanagement


Universität Passau
Innstr. 33, 94032 Passau
Telefon +49 (0)851/509-3285,
Telefax +49 (0)851/509-1802
E-Mail: benjamin.hartwich at uni-passau.de




More information about the stunnel-users mailing list