Use cURL with SNI (Server Name Indication)

Question

I am trying to use cURL to post to an API that just started using SNI (so they could host multiple ssl certs on 1 IP address).

My cURL stopped working as a result o

Answer 1

To be able to use SNI, three conditions are required:

• Using a version of Curl that supports it, at least 7.18.1, according to the change logs.
• Using a version of Curl compiled against a library that supports SNI, e.g. OpenSSL 0.9.8j (depending on the compilation options some older versions).
• Using TLS 1.0 at least (not SSLv3).

Note that Curl's debug code (-v) only displays the major version number (mainly to distinguish between SSLv2 and SSLv3+ types of messages, see ssl_tls_trace), so it will still display "SSLv3" when you use TLS 1.0 or above (because they're effectively SSL v3.1 or above, 3 is the same major version number).

You could check that your installed version of curl can use SNI using Wireshark. If you make a connection using curl -1 https://something, if you expand the "Client Hello" message, you should be able to see a "server_name" extension.

I'm not sure which SSL/TLS version is used by default (depending on your compilation options) when you use curl without -1 (for TLS 1.0) or -3 (for SSLv3), but you can try to force -1 on your command, since it won't work with SSLv3 anyway.

Answer 2

Along with the required library and Curl version, the request should use resolve to send SNI in the curl:

curl -vik --resolve example.com:443:198.18.110.10 https://example.com/