Openssl TLS extension support configuration (Server Name Indication)

Question

I want to configure openssl client-server to support TLS extensions specifically server name indication (SNI).

I have build the latest openssl 1.0.0e on ubuntu linux without giving any additional config parameter.

 
./config
make
make install

Not sure if I need to give any additional config parameters while building for this version.

Now I have set up server and connecting to it through openssl client using the standard command line tool provided by openssl, viz s_client and s_server.

My question is: how do I specify the host name to be sent as extension in s_client? Does openssl have the provision to specify server name using some parameter in commandline?

Thanks!

Answer 1

This has been lying dormant for some time. Since I figured this out long back, it would be logical to write the answer and put a closure to this.

The command-line option servername is available to specify SNI.

openssl s_client -connect myweb.address.com:443 -servername myweb.address.com

The above command will trigger TLS client with the given server name present in SNI extension of client hello.

Answer 2

For using s_server you can use the command:

openssl s_server -accept 443 -cert normal_cert.pem -key normal_key.ky -servername xyz.com -cert2 sni_cert.pem -key2 sni_key.ky

Here whenever the client will request the server without servername extension the server will reply with normal_cert and if there is servername extension is client hello then server will reply with the sni_cert.

For using s_client with SNI you can use the command:

openssl s_client -servername xyz.com -connect ip:port