Hello!

I noticed that when dealing with wildcard certs in stunnel where an SNI configuration is being used, unless a specific servername context that exactly matches the browser's requested servername is in the stunnel.conf, stunnel responds to the client (web browser in this case) with a SSL_TLSEXT_ERR_ALERT_FATAL. Most browsers fall back to a non-SNI request, at which point, stunnel responds with whatever the master service's certificate is (which, if it's a wildcard cert, just works).  However, at least one popularly-used web browser (Firefox) does not do this, and instead returns an error message to the user which they cannot (and should not need to) override to view the site contents.

Since it's impractical to list all the possible servernames that can match at wildcard cert, and it's also impractical to expect the Firefox developers to change the behavior of their browser (when they shouldn't have to), and even more impractical to expect all the current users of Firefox to upgrade in a timely manner... I went ahead and wrote a patch for stunnel which instructs it to look for a matching wildcard certificate, if an exactly-matching servername isn't found.  I've attached this patch to this message.

Beyond fixing the stunnel+wildcard cert+SNI+firefox problem above, the secondary benefits of this patch are:

* stunnel now responds immediately with a matching cert in the case of a wildcard cert, thus eliminating that first exchange which results in the SSL_TLSEXT_ERR_ALERT_FATAL error above.  For stupid browsers and configurations with keepalive turned off + lots of requests per page and high latency, this should help to significantly improve performance.
* stunnel will still choose an exactly matching cert if it's available and configured. (ie. if the browser requests 'subdomain.example.com', and there's a certificate configured in stunnel for 'subdomain.example.com' and another for '*.example.com', stunnel will respond with the 'subdomain.example.com' cert.)
* one can now use multiple wildcard certs on a single IP:Port combination thanks to SNI.  (Without this patch, you can effectively only use one wildcard cert per IP:Port combination with stunnel.)

One note:  It's been years since I've written any C code, so can't really vouch for the quality of my patch.  I'm hoping at least the maintainers of this project see the utility of the patch I'm providing and write something similar in non-stupid C.

Thanks,
Stephen


--
Stephen Balukoff
Blue Box Group, LLC
(800)613-4305 x807