[stunnel-users] Patch to fix: Wildcard SSL certificates + SNI broken on Firefox

Stephen Balukoff sbalukoff at bluebox.net
Thu Nov 29 05:10:33 CET 2012


I noticed that when dealing with wildcard certs in stunnel where an SNI
configuration is being used, unless a specific servername context that
exactly matches the browser's requested servername is in the stunnel.conf,
stunnel responds to the client (web browser in this case) with
a SSL_TLSEXT_ERR_ALERT_FATAL. Most browsers fall back to a non-SNI request,
at which point, stunnel responds with whatever the master service's
certificate is (which, if it's a wildcard cert, just works).  However, at
least one popularly-used web browser (Firefox) does not do this, and
instead returns an error message to the user which they cannot (and should
not need to) override to view the site contents.

Since it's impractical to list all the possible servernames that can match
at wildcard cert, and it's also impractical to expect the Firefox
developers to change the behavior of their browser (when they shouldn't
have to), and even more impractical to expect all the current users of
Firefox to upgrade in a timely manner... I went ahead and wrote a patch for
stunnel which instructs it to look for a matching wildcard certificate, if
an exactly-matching servername isn't found.  I've attached this patch to
this message.

Beyond fixing the stunnel+wildcard cert+SNI+firefox problem above, the
secondary benefits of this patch are:

* stunnel now responds immediately with a matching cert in the case of a
wildcard cert, thus eliminating that first exchange which results in
the SSL_TLSEXT_ERR_ALERT_FATAL error above.  For stupid browsers and
configurations with keepalive turned off + lots of requests per page and
high latency, this should help to significantly improve performance.
* stunnel will still choose an exactly matching cert if it's available and
configured. (ie. if the browser requests 'subdomain.example.com', and
there's a certificate configured in stunnel for 'subdomain.example.com' and
another for '*.example.com', stunnel will respond with the '
subdomain.example.com' cert.)
* one can now use multiple wildcard certs on a single IP:Port combination
thanks to SNI.  (Without this patch, you can effectively only use one
wildcard cert per IP:Port combination with stunnel.)

One note:  It's been years since I've written any C code, so can't really
vouch for the quality of my patch.  I'm hoping at least the maintainers of
this project see the utility of the patch I'm providing and write something
similar in non-stupid C.


Stephen Balukoff
Blue Box Group, LLC
(800)613-4305 x807
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121128/7ac0f137/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-wildcard-SNI.patch
Type: application/octet-stream
Size: 1543 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121128/7ac0f137/attachment.obj>

More information about the stunnel-users mailing list