[stunnel-users] Use SNI

• Previous message (by thread): [stunnel-users] stunnel 5.37 released
• Next message (by thread): [stunnel-users] rpmbuild errors using stunnel.spec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

W dniu 31.10.2016 o 15:10, Benjamin Hartwich pisze:
> Hi,
>
> I´ve found the SNI parameter at stunnel, but it doesn´t work at my
> Ubuntu 16.04.
>
> My goal is, to use one dfn cert for the stunnel cert, which has 4
> hostnames. This cert is on both servers. At the client server this
> cert
> works, because at the cert this is first hostname. At the second
> server
> I use the same cert, but it can´t be verified, because stunnel doesn´t
> recognize the correct hostname from the cert.
>
> Can anyone send me an example for a working SNI configuration?


Hello Benjamin,

Could you update stunnel to the latest 5.37 version. The SNI works there 
better. The default or incorrect SNI target is now handled by the master 
service.

This is my example SNI configuration on the server mode:

[virtual]
; master service
; settings for clients that didn't send an SNI extension or this value 
was not correct
accept = 443
cert = /usr/local/etc/stunnel/stunnel.pem
exec = /usr/local/bin/hello

[sni1]
; slave service 1
; notice that "sni" option is used instead of "accept"
sni = virtual:*.public.net
cert = /usr/local/etc/stunnel/public_cert.pem
connect = 10.10.10.11:80

[sni2]
; slave service 2
sni = virtual:secret.net
cert = /usr/local/etc/stunnel/secret_cert.pem
connect = localhost:888
verifyPeer = yes
CAfile = /usr/local/etc/stunnel/allowed-clients.pem
; other service-level options may be specified here

The example client mode:

[https]
client = yes
sni = my.public.net
accept =  127.0.0.1:80
connect = 10.10.10.12:443
cert = stunnel.pem
verifyPeer = yes
CAfile = sni_certs.pem


2016.11.07 04:03:32 LOG7[ui]: Service [virtual] accepted (FD=3) from 
10.10.10.14:49169
2016.11.07 04:03:32 LOG7[4]: Service [virtual] started
2016.11.07 04:03:32 LOG7[4]: Option TCP_NODELAY set on local socket
2016.11.07 04:03:32 LOG5[4]: Service [virtual] accepted connection from 
10.10.10.14:49169
2016.11.07 04:03:32 LOG6[4]: Peer certificate not required
2016.11.07 04:03:32 LOG7[4]: SSL state (accept): before/accept 
initialization
2016.11.07 04:03:32 LOG6[4]: SNI: requested servername: my.public.net
2016.11.07 04:03:32 LOG7[4]: SNI: matched pattern: *.public.net
2016.11.07 04:03:32 LOG5[4]: SNI: switched to service [sni1]
…

Regards.

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

• Previous message (by thread): [stunnel-users] stunnel 5.37 released
• Next message (by thread): [stunnel-users] rpmbuild errors using stunnel.spec
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]