Re: very simple SNI rules are only sometimes followed

Thu, 02 Jul 2015 11:59:29 -0700 

I tried the most naïve approach, but it doesn't output anything as I make
curl requests

    sudo ssldump \
        -k
/usr/local/lib/node_modules/serve-https/node_modules/localhost.daplie.com-certificates/certs/server/my-server.key.pem

So I thought maybe I *must* supply an interface

    sudo ssldump \
        -k
/usr/local/lib/node_modules/serve-https/node_modules/localhost.daplie.com-certificates/certs/server/my-server.key.pem
\
        -i lo \
        > dump.0.tls.bin

Turns out that was correct.

To limit verbosity I just captured one full request where it succeeded and
then another when it didn't

    # this is the one that worked as expected
    pastebinit dump.1.tls.bin
    http://paste.ubuntu.com/11811750/

    # this is the one that went to default anyway
    pastebinit dump.2.tls.bin
    http://paste.ubuntu.com/11811751/

Both were produced by curl --insecure https://baz.example.com:64443

I was expecting that the -k option would require just my server's key and
that it would be able to decrypt data to plaintext, however, I see that it
didn't decrypt, so perhaps I need to convert the keyfile to another format
or bundle the certificate with the keys?

Let me know if this is the format you expected. If not, please tell me what
options I should be passing or what I might be doing wrong.

AJ ONeal
(317) 426-6525

On Thu, Jul 2, 2015 at 12:37 PM, Lukas Tribus <luky...@hotmail.com> wrote:

>
> >      sudo haproxy -db -f /etc/haproxy/haproxy.cfg
>
> Backend IPs are 0.0.0.0. Thats probably not what you want.
> Should be 127.0.0.1 if I understand correctly.
>
>
>
> > I've edited /etc/hosts so that baz.example.com<http://baz.example.com>
> > points to 127.0.0.1
> >
> > I've created a few bogus servers
> >
> >      npm install -g serve-https
> >      serve-https -p 1443 -c 'Default on 1443' &
> >      serve-https -p 2443 -c 'bar on 2443' &
> >      serve-https -p 3443 -c 'baz on 3443' &
> >
> > And then I test, but I get random results. It only follows the SNI
> > rules sometimes
> >
> >      curl --insecure https://baz.example.com:64443
> >      baz
> >
> >      curl --insecure https://baz.example.com:64443
> >      Default on 1443
>
> Can you post "ssldump"captures of this traffic (working and
> non working)?
>
>
> Regards,
> Lukas
>
>

Reply via email to