Thank You very much for the explanation Stuart! I'll check this.
On 25. Nov 8:02:17, Stuart Henderson wrote: > On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello, > > > > I'm just testing ssl interception and noticed the following problem. > > Sometimes the Subject/Subject Alternative Name of the cert is altered with > > a different name than the one the original cert has: > > When relayd connects to the server to find out what names to use in > the subject/SAN, it doesn't send the requested hostname (SNI) in > the ClientHello, so it only has the information from the server's > "default" certificate to include in the new generated certificate. > > You can see this for yourself with openssl s_client -connect hostname:443 > compared with openssl s_client -connect hostname:443 -servername hostname. > --
