[openssl-users] How to get SNI info from s_client debug logs?

John Jiang john.sha.jiang at gmail.com
Mon Nov 27 07:04:25 UTC 2017


I just tried s_server, and its logs included something like "Hostname in
TLS extension".

But I still have a couple of puzzles.
1. Why does s_server need option "-servername"?
I supposed only s_client needs this option.
With my test, if only s_client specified "-servername server", the desired
certificate still was not used.
My commands like:
Server side: openssl s_server -cert cert1 -key key1 -cert2 cert2 -key2 key2
-www -accept 4433
Client side: openssl s_client -connect localhost:4433 -servername
www.server2.com < /dev/null
Here, if www.server2.com is selected, (I hoped) cert2/key2 is used. But it
didn't happen with the above case.

2. It looks options -servername and -alpn cannot work together.
Please consider the following case,
Server side: openssl s_server -cert cert1 -key key1 -cert2 cert2 -key2 key2
-servername www.server2.com -alpn h2 -www -accept 4433
Client side: openssl s_client -connect localhost:4433 -servername
www.server2.com -alpn h2 < /dev/null
With the above commands, s_client outputted "No ALPN negotiated", and cert2
was selected.
But removed "-servername www.server2.com" from server side, and re-run
client side command, it outputted "ALPN protocol: h2", but cert1 was
selected (namely, SNI didn't work).

Thanks!

2017-11-27 12:27 GMT+08:00 Kyle Hamilton <aerowolf at gmail.com>:

> The -servername [host] is what causes the SNI extension to be sent.  I
> don't think its sending is put into the debug output. Do you really need it
> there?
>
> I'm pretty certain that s_server outputs it in debug output.
>
> -Kyle H
>
> On Nov 26, 2017 18:59, "John Jiang" <john.sha.jiang at gmail.com> wrote:
>
>> Hi,
>> The following is my OpenSSL version info,
>> OpenSSL 1.1.0f  25 May 2017
>>
>> I supposed the below command can give me some SNI info, but nothing was
>> found.
>> openssl s_client -debug -tlsextdebug -msg -connect <host:port>
>> -servername <server> < /dev/null | grep "server name"
>> But I found SNI extension with Wireshark while running the above command.
>>
>> Is it possible get SNI info with s_client?
>> Thanks!
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171127/a700fef4/attachment-0001.html>


More information about the openssl-users mailing list