4

I want to configure openssl client-server to support TLS extensions specifically server name indication (SNI).

I have build the latest openssl 1.0.0e on ubuntu linux without giving any additional config parameter.

 
./config
make
make install

Not sure if I need to give any additional config parameters while building for this version.

Now I have set up server and connecting to it through openssl client using the standard command line tool provided by openssl, viz s_client and s_server.

My question is: how do I specify the host name to be sent as extension in s_client? Does openssl have the provision to specify server name using some parameter in commandline?

Thanks!

John Bachir
  • 22,495
  • 29
  • 154
  • 227
PravinCG
  • 7,688
  • 3
  • 30
  • 55

3 Answers3

11

This has been lying dormant for some time. Since I figured this out long back, it would be logical to write the answer and put a closure to this.

The command-line option servername is available to specify SNI. 

openssl s_client -connect myweb.address.com:443 -servername myweb.address.com

The above command will trigger TLS client with the given server name present in SNI extension of client hello.

PravinCG
  • 7,688
  • 3
  • 30
  • 55
  • Do you know which version of OpenSSL added the `-servername` argument? It does not appear to exist in OpenSSL 1.0.0h. – Sam Morris Mar 19 '12 at 11:29
  • I am using this version `OpenSSL 0.9.8o 01 Jun 2010` – PravinCG Mar 19 '12 at 15:08
  • I was wrong--OpenSSL 1.0.0h does support `-servername`, as can be seen if you look at the output of `openssl s_client -h`. It is just not documented in the s_Client man page. – Sam Morris Mar 20 '12 at 14:37
  • Search the OpenSSL [Change Log](http://www.openssl.org/news/changelog.html) for `SSL_set_tlsext_host_name`. It shows up under 'Changes between 0.9.8n and 1.0.0 (29 Mar 2010)'. – jww Oct 14 '13 at 23:23
3

For using s_server you can use the command:

openssl s_server -accept 443 -cert normal_cert.pem -key normal_key.ky -servername xyz.com -cert2 sni_cert.pem -key2 sni_key.ky

Here whenever the client will request the server without servername extension the server will reply with normal_cert and if there is servername extension is client hello then server will reply with the sni_cert.

For using s_client with SNI you can use the command:

openssl s_client -servername xyz.com -connect ip:port

Kritarth
  • 31
  • 1
2

The relevant commandline options are:

  • starttls prot: use the STARTTLS command before starting TLS for those protocols that support it, where 'prot' defines which one to assume. Currently only "smtp", "pop3", "imap", "ftp" and "xmpp" are supported.
  • servername host: Set TLS extension servername
John Bachir
  • 22,495
  • 29
  • 154
  • 227
MD-Tech
  • 1,224
  • 1
  • 9
  • 15