[stunnel-users] client side SNI

yyy yyy at yyy.id.lv
Fri Jan 13 21:13:53 CET 2012


> Well... Not really.  There is an undocumented method to do it.  Use 
> "protocolHost" option.
How to use it? Tried simply adding protocolHost=servername into client
configuration section, but it did not work, because server returned
default cert. "servername" in this case is not a recognized DNS name,
it exists only in stunnel configuration files.
Server were able to return proper cert and connect to proper service,
tested it by openssl s_client. (default server is http, additional
server (used with SNI) is vnc, they have different certs).
Here is client configuration (not working):
[sni-client]
cert = clcert.crt
key = clkey.key
verify = 2
CAfile = ca.crt
client = yes
accept=5992
protocolHost=servername:443
connect=yyy.id.lv:443
TIMEOUTclose=0


> What I'm going to do is to modify "sni" option, to specify client-side
> SNI name in a client-mode section ("client = yes").

>> I am trying to run multiple independent services over the same port
>> there is no DNS infrastructure in place, so those server names
>> would be random strings not refering to anything.

> You don't really need DNS for this.
> You could also specify your names in /etc/hosts on your client.

> Mike
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users


-- 
Best regards,
 yyy                            mailto:yyy at yyy.id.lv




More information about the stunnel-users mailing list