How to get SNI info from s_client debug logs?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to get SNI info from s_client debug logs?

John Jiang
Hi,
The following is my OpenSSL version info,
OpenSSL 1.1.0f  25 May 2017

I supposed the below command can give me some SNI info, but nothing was found.
openssl s_client -debug -tlsextdebug -msg -connect <host:port> -servername <server> < /dev/null | grep "server name"
But I found SNI extension with Wireshark while running the above command.

Is it possible get SNI info with s_client?
Thanks!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to get SNI info from s_client debug logs?

OpenSSL - User mailing list

The “server name” is something that the client sends to the server.

 

This allows a single host to server multiple “virtual hosts”

 

From: John Jiang <[hidden email]>
Reply-To: openssl-users <[hidden email]>
Date: Sunday, November 26, 2017 at 9:59 PM
To: openssl-users <[hidden email]>
Subject: [openssl-users] How to get SNI info from s_client debug logs?

 

Hi,
The following is my OpenSSL version info,
OpenSSL 1.1.0f  25 May 2017

I supposed the below command can give me some SNI info, but nothing was found.
openssl s_client -debug -tlsextdebug -msg -connect <host:port> -servername <server> < /dev/null | grep "server name"

But I found SNI extension with Wireshark while running the above command.

 

Is it possible get SNI info with s_client?

Thanks!


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to get SNI info from s_client debug logs?

Kyle Hamilton
In reply to this post by John Jiang
The -servername [host] is what causes the SNI extension to be sent.  I don't think its sending is put into the debug output. Do you really need it there?

I'm pretty certain that s_server outputs it in debug output.

-Kyle H

On Nov 26, 2017 18:59, "John Jiang" <[hidden email]> wrote:
Hi,
The following is my OpenSSL version info,
OpenSSL 1.1.0f  25 May 2017

I supposed the below command can give me some SNI info, but nothing was found.
openssl s_client -debug -tlsextdebug -msg -connect <host:port> -servername <server> < /dev/null | grep "server name"
But I found SNI extension with Wireshark while running the above command.

Is it possible get SNI info with s_client?
Thanks!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to get SNI info from s_client debug logs?

John Jiang
I just tried s_server, and its logs included something like "Hostname in TLS extension".

But I still have a couple of puzzles.
1. Why does s_server need option "-servername"?
I supposed only s_client needs this option.
With my test, if only s_client specified "-servername server", the desired certificate still was not used.
My commands like:
Server side: openssl s_server -cert cert1 -key key1 -cert2 cert2 -key2 key2 -www -accept 4433
Client side: openssl s_client -connect localhost:4433 -servername www.server2.com < /dev/null
Here, if www.server2.com is selected, (I hoped) cert2/key2 is used. But it didn't happen with the above case.

2. It looks options -servername and -alpn cannot work together.
Please consider the following case,
Server side: openssl s_server -cert cert1 -key key1 -cert2 cert2 -key2 key2 -servername www.server2.com -alpn h2 -www -accept 4433
Client side: openssl s_client -connect localhost:4433 -servername www.server2.com -alpn h2 < /dev/null
With the above commands, s_client outputted "No ALPN negotiated", and cert2 was selected.
But removed "-servername www.server2.com" from server side, and re-run client side command, it outputted "ALPN protocol: h2", but cert1 was selected (namely, SNI didn't work).

Thanks!

2017-11-27 12:27 GMT+08:00 Kyle Hamilton <[hidden email]>:
The -servername [host] is what causes the SNI extension to be sent.  I don't think its sending is put into the debug output. Do you really need it there?

I'm pretty certain that s_server outputs it in debug output.

-Kyle H

On Nov 26, 2017 18:59, "John Jiang" <[hidden email]> wrote:
Hi,
The following is my OpenSSL version info,
OpenSSL 1.1.0f  25 May 2017

I supposed the below command can give me some SNI info, but nothing was found.
openssl s_client -debug -tlsextdebug -msg -connect <host:port> -servername <server> < /dev/null | grep "server name"
But I found SNI extension with Wireshark while running the above command.

Is it possible get SNI info with s_client?
Thanks!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to get SNI info from s_client debug logs?

OpenSSL - User mailing list
  • 1. Why does s_server need option "-servername"?

 

For debugging, so that you can test that clients are sending the right SNI extension and properly handling the TLS error when they don’t.

 

  • 2. It looks options -servername and -alpn cannot work together.

 

Yes, kind-of.  The s_client and s_server programs aren’t fully-featured production programs. 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users