[stunnel-users] Using SNI in stunnel server

Derek Cole derek.cole at gmail.com
Fri Jun 13 02:16:52 CEST 2014


Hello, I have the following config on my stunnel server:

Dereks-MacBook-Pro:server derek$ cat server.conf

;setuid = stunnel
setgid = nogroup
foreground = yes
pid = /etc/stunnel/stunnel.pid
debug = 7
output = /etc/stunnel/stunnel.log
options = NO_SSLv2
verify = 3
fips=no
CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem
CApath=/Users/derek/cert_attempts/server/trusted/
[https]
cert = /Users/derek/cert_attempts/server/domain.local.pem
accept  = 443
connect = 80
;connect is the far-end openvpn connection

[exit1]
sni = https:exit1.domain.local
cert = /Users/derek/cert_attempts/server/exit1.domain.local.pem
connect=ovpn1:16081

[exit2]
sni = https:exit2.domain.local
cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem
connect=ovpn2:1195


I am trying to test whether this is working by using openssl s_client with
something similar to the following:

openssl s_client -connect 10.22.1.219:443 -cert ./server/domain.local.pem
-servername exit2.domain.local

Maybe I misunderstand - but why do I have to specify -servername there? I
thought that if I specified -cert and it matched any of the cert= in my
services that are in my stunnel configuration, it would automatically know
to do that connect? It seems like if I level off -servername entirely, it
always defaults to https no matter what cert I specify, and if I do have
-servername, it always goes to that SNI regardless of what cert I use (or
whether that cert is even valid). All three of these .pem files were
generated and signed by the same CA that I created, and they all contain
the public and private key. What am I doing wrong here?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140612/182d2745/attachment.html>


More information about the stunnel-users mailing list