[stunnel-users] Using SNI in stunnel server

Michal Trojnara Michal.Trojnara at mirt.net
Fri Jun 13 07:35:48 CEST 2014

Hash: SHA1

Derek Cole wrote:
> CAfile=/Users/derek/cert_attempts/root_certs/cacert.pem 
> CApath=/Users/derek/cert_attempts/server/trusted/ [https] cert =
> /Users/derek/cert_attempts/server/domain.local.pem accept  = 443 
> connect = 80 ;connect is the far-end openvpn connection
> [exit1] sni = https:exit1.domain.local cert =
> /Users/derek/cert_attempts/server/exit1.domain.local.pem 
> connect=ovpn1:16081
> [exit2] sni = https:exit2.domain.local 
> cert=/Users/derek/cert_attempts/server/exit2.domain.local.pem 
> connect=ovpn2:1195
> I am trying to test whether this is working by using openssl
> s_client with something similar to the following:
> openssl s_client -connect <>
> -cert ./server/domain.local.pem -servername exit2.domain.local
> Maybe I misunderstand - but why do I have to specify -servername
> there? I thought that if I specified -cert and it matched any of
> the cert= in my services that are in my stunnel configuration, it
> would automatically know to do that connect?

You confused SNI with the client certificate selection algorithm,
which works more or less the way you described (for client certificates).

SNI allows selecting not only a server certificate (not a client
certificate!), but also other options.  SNI is intended to be used for
name-based virtual servers.

Modern web browsers and stunnel (but not the s_client testing tool)
automatically send your requested hostname in the SNI extension.  When
you connect to "exit1.domain.local" or "exit2.domain.local" those
tools will automatically request the proper service.

Without the "-servername" option s_client does not send the SNI
extension at all.

Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the stunnel-users mailing list