On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > Hello, > > I'm just testing ssl interception and noticed the following problem. > Sometimes the Subject/Subject Alternative Name of the cert is altered with a > different name than the one the original cert has:
When relayd connects to the server to find out what names to use in the subject/SAN, it doesn't send the requested hostname (SNI) in the ClientHello, so it only has the information from the server's "default" certificate to include in the new generated certificate. You can see this for yourself with openssl s_client -connect hostname:443 compared with openssl s_client -connect hostname:443 -servername hostname.
