I just tried s_server, and its logs included something like "Hostname in TLS extension".
But I still have a couple of puzzles. 1. Why does s_server need option "-servername"? I supposed only s_client needs this option. With my test, if only s_client specified "-servername server", the desired certificate still was not used. My commands like: Server side: openssl s_server -cert cert1 -key key1 -cert2 cert2 -key2 key2 -www -accept 4433 Client side: openssl s_client -connect localhost:4433 -servername www.server2.com < /dev/null Here, if www.server2.com is selected, (I hoped) cert2/key2 is used. But it didn't happen with the above case. 2. It looks options -servername and -alpn cannot work together. Please consider the following case, Server side: openssl s_server -cert cert1 -key key1 -cert2 cert2 -key2 key2 -servername www.server2.com -alpn h2 -www -accept 4433 Client side: openssl s_client -connect localhost:4433 -servername www.server2.com -alpn h2 < /dev/null With the above commands, s_client outputted "No ALPN negotiated", and cert2 was selected. But removed "-servername www.server2.com" from server side, and re-run client side command, it outputted "ALPN protocol: h2", but cert1 was selected (namely, SNI didn't work). Thanks! 2017-11-27 12:27 GMT+08:00 Kyle Hamilton <aerow...@gmail.com>: > The -servername [host] is what causes the SNI extension to be sent. I > don't think its sending is put into the debug output. Do you really need it > there? > > I'm pretty certain that s_server outputs it in debug output. > > -Kyle H > > On Nov 26, 2017 18:59, "John Jiang" <john.sha.ji...@gmail.com> wrote: > >> Hi, >> The following is my OpenSSL version info, >> OpenSSL 1.1.0f 25 May 2017 >> >> I supposed the below command can give me some SNI info, but nothing was >> found. >> openssl s_client -debug -tlsextdebug -msg -connect <host:port> >> -servername <server> < /dev/null | grep "server name" >> But I found SNI extension with Wireshark while running the above command. >> >> Is it possible get SNI info with s_client? >> Thanks! >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> >> > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users