Nmap Development mailing list archives
Re: ncat ssl client doesn't support Server Name Indication extension (SNI)
From: Nuno Gonçalves <nunojpg () gmail com>
Date: Fri, 16 Jul 2010 17:37:18 +0100
2010/7/16 David Fifield <david () bamsoftware com>:
On Thu, Jul 15, 2010 at 01:12:08PM +0100, Nuno Gonçalves wrote: That web page says that SNI is supported by OpenSSL. Do you happen to know how to enable it? Maybe it is only a matter of an additional function call.
It's not just a matter of "enabling it"... Please look at: openssl s_client -servername host openssl s_server -servername host For ncat there are essentialy 3 ways of implementing it: 1 - always include the extension, where the server_name is the hostname you are trying to connect. 2 - add the option --ssl-servername to enable it 3 - add the option --ssl-servername to enable it, with the optional parameter to specify a different server_name (you may be testing of using an IP address as hostname) The 3rd option is the best and can also be used for the SSL server case. http://www.openssl.org/news/changelog.html: *) Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new members for a host name. The SSL data structure has an additional member SSL_CTX *initial_ctx so that new sessions can be stored in that context to allow for session resumption, even after the SSL has been switched to a new SSL_CTX in reaction to a client's server_name extension. New functions (subject to change): SSL_get_servername() SSL_get_servername_type() SSL_set_SSL_CTX() New CTRL codes and macros (subject to change): SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - SSL_CTX_set_tlsext_servername_callback() SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG - SSL_CTX_set_tlsext_servername_arg() SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() openssl s_client has a new '-servername ...' option. openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecogninzed_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' option. [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] Regards, Nuno _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ncat ssl client doesn't support Server Name Indication extension (SNI) Nuno Gonçalves (Jul 15)
- Re: ncat ssl client doesn't support Server Name Indication extension (SNI) David Fifield (Jul 16)
- Re: ncat ssl client doesn't support Server Name Indication extension (SNI) Nuno Gonçalves (Jul 16)
- Re: ncat ssl client doesn't support Server Name Indication extension (SNI) David Fifield (Jul 16)
- Re: ncat ssl client doesn't support Server Name Indication extension (SNI) David Fifield (Aug 13)
- Re: ncat ssl client doesn't support Server Name Indication extension (SNI) Nuno Gonçalves (Jul 16)
- Re: ncat ssl client doesn't support Server Name Indication extension (SNI) David Fifield (Jul 16)