[stunnel-users] Server-side SNI support

Bri Hatch bri at ifokr.org
Sat Jun 18 08:21:51 CEST 2011

Roughly around Fri, Jun 17, 2011 at 10:05 PM, Michal Trojnara
<Michal.Trojnara at mirt.net> cajoled:

> I'd like the next version of stunnel to support server-side Server Name
> Indication:
> https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication


> The new service-level stunnel.conf option would be:
> sni = <master service>:<sni host>

Looks very straightforward, sane, and flexible - I like it.

Not sure the 'right' way to handle TCP wrappers in this case - should
tcpd checks be delayed until it is determined that sni was or wasn't
used and then check against the actual [name] e.g. virtual vs
sni1?  Or should there be two tcpd checks, e.g. check virtual
on accept, and then sni2 iff it turns out that's the cert they're

I'd suggest the former method - it would allow you to have more
open access for the sni services.  In the latter method you'd need
to have the virtual service's permissions a union (or greater)
of the sni services.

Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

"I guess the operational phrase is 'Trust no one.'"
"No. Trust Ivanova, trust yourself, anybody else: shoot 'em."

More information about the stunnel-users mailing list