sni

问题 I'm using OpenSSL 0.9.8q in FreeBSD-8.2. I have 3 virtual hosts on my system and want to implement SNI to serve for all 3 of them in one server. I have 3 separate certificates one for each, and in my ssl-server code I have to somehow find out what is the domain-name of client's request, and use the appropriate certificate file based on that. For this I wrote a function named get_ssl_servername_cb and passed it as callback function to SSL_CTX_set_tlsext_servername_callback . This way, in

问题 How to implement Server Name Indication(SNI) on OpenSSL in C or C++? Are there any real world examples available? 回答1: On the client side, you use SSL_set_tlsext_host_name(ssl, servername) before initiating the SSL connection. On the server side, it's a little more complicated: Set up an additional SSL_CTX() for each different certificate; Add a servername callback to each SSL_CTX() using SSL_CTX_set_tlsext_servername_callback() ; In the callback, retrieve the client-supplied servername with

问题 Does wget support SNI? If so, can someone show me a sample command? I am not able to find in the man page how to set the server name. 回答1: There is nothing you need to configure to use SNI but you have to use a wget version which supports it. Support for SNI was added in version 1.14 which was released 08/2012. 来源： https://stackoverflow.com/questions/36559821/wget-tls-sni-support-setting-server-name

问题 As per Wikipedia, Java 1.7 should support SNIServerName, but as per Java docs there is no such class in their javax.net.ssl package.Can someone please clarify this? Will I have to use Java 8 API to use SNIServerName class? 回答1: The support is there, see https://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html: Server Name Indication (SNI) for JSSE client: The Java SE 7 release supports the Server Name Indication (SNI) extension in the JSSE client. SNI is described

问题 There is a ton of information available about cURL and SSL, but not so much is out there about writing a server. I have a small local server written in PHP that I would like to have TLS/SSL enabled. I am having issues with my server crashing upon secure connections. I am only receiving the error, "PHP Warning: stream_socket_accept(): Failed to enable crypto". I have an identical server running without TLS, and it is working fine. I have an idea it is the certificates, or the connection to

问题 The following snippet works perfectly as long as only one tls certificate is enabled on the nginx server. OkHttpClient client = new OkHttpClient(); Request request = new Request.Builder() .url("ENDPOINT").build(); Response response = client.newCall(request).execute(); System.out.println(response.body().string()); Activating a site with a different certificate causes nginx to enable SNI. That apparently breaks both on Oracle Java 7 as well as OpenJDK 7. Exception in thread "main" java.net

问题 I am using embedded Tomcat and using SSLHostConfig to add SNI certificates when I create the connector. It works wonderfully. I am also able to add certificates without restarting Tomcat using something like this: SSLHostConfig sslHostConfig = new SSLHostConfig(); sslHostConfig2.setHostName(host); sslHostConfig2.setCertificateFile(path); connector.addSslHostConfig(sslHostConfig); This also works perfectly. Also, without restarting Tomcat, I can get a list of all the existing SSLHostConfig

问题 I find myself needing to set up a WebSocket connection in a hostile environment in which a firewall sniffs SNI information from TLS which I'd rather it didn't. In my particular case, the WebSocket server does not use SNI for request handling, so as such, the SNI part of the handshake could be safely removed. My question then becomes: In the golang.org WebSocket package, golang.org/x/net/websocket , what is the simplest way to strip SNI information while retaining validation of the provided

问题 I couldn't manage using SNICallback on createServer function. When I try the below codes I get an error as Missing PFX or certificate + pricate key. How can I solve this issue? var fs = require('fs'), tls = require('tls'), https = require('https'); var certs = { "safe.myDomain.com": { key: fs.readFileSync('../SSL/safe/private/key.pem'), cert: fs.readFileSync('../SSL/safe/certs/cert.pem') }, "api.myDomain.com": { key: fs.readFileSync('../SSL/api/private/key.pem'), cert: fs.readFileSync('../SSL

问题 I'm trying to use Python to test a web server. I have nearly no experience with Python, but encouraged to use it because its easy to learn and simple to do things with (someone else's opinion, not mine at the moment). The script I am using is: s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2 = ssl.wrap_socket(s1, ca_certs="./pki/signing-dss-cert.pem", cert_reqs=ssl.CERT_REQUIRED, ssl_version=ssl.PROTOCOL_TLSv1, server_hostname="localhost") s2.connect( ("localhost", 8443) ) s2.send(