开发者

Openssl TLS extension support configuration (Server Name Indication)

I want to configure openssl client-server to support TLS extensions specifically server name indication (SNI).

I have build the latest openssl 1.0.0e on ubuntu linux without giving any additional config parameter.

 
./config
make
make install

Not sure if I need to give any additional config parameters while building for 开发者_如何学Cthis version.

Now I have set up server and connecting to it through openssl client using the standard command line tool provided by openssl, viz s_client and s_server.

My question is: how do I specify the host name to be sent as extension in s_client? Does openssl have the provision to specify server name using some parameter in commandline?

Thanks!


This has been lying dormant for some time. Since I figured this out long back, it would be logical to write the answer and put a closure to this.

The command-line option servername is available to specify SNI.

openssl s_client -connect myweb.address.com:443 -servername myweb.address.com

The above command will trigger TLS client with the given server name present in SNI extension of client hello.


For using s_server you can use the command:

openssl s_server -accept 443 -cert normal_cert.pem -key normal_key.ky -servername xyz.com -cert2 sni_cert.pem -key2 sni_key.ky

Here whenever the client will request the server without servername extension the server will reply with normal_cert and if there is servername extension is client hello then server will reply with the sni_cert.

For using s_client with SNI you can use the command:

openssl s_client -servername xyz.com -connect ip:port


The relevant commandline options are:

  • starttls prot: use the STARTTLS command before starting TLS for those protocols that support it, where 'prot' defines which one to assume. Currently only "smtp", "pop3", "imap", "ftp" and "xmpp" are supported.
  • servername host: Set TLS extension servername
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜