Re: Now follows SNI rules, except from curl on OSX

2015-07-03 Thread AJ ONeal (Home)
> > The big question is why does curl on mac somethimes send the SNI value > and sometimes not? > > Maybe it has someting todo with the -k/--insecure argument? > > Which certificate are you getting if you do: > curl --insecure https://coolaj86.com BINGO! Ugh... well, at least some half-decent do

RE: Now follows SNI rules, except from curl on OSX

2015-07-03 Thread Lukas Tribus
> Yep, it's OS X curl.  >  > curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1  > SecureTransport zlib/1.2.5  > Protocols: dict file ftp ftps gopher http https imap imaps ldap  > ldaps pop3 pop3s rtsp smtp smtps telnet tftp  > Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL lib

Re: Now follows SNI rules, except from curl on OSX

2015-07-03 Thread AJ ONeal (Home)
> > Try: curl https://sni.velox.ch/ -k > > You will see that SNI doesn't work with this client. > > Also see: > https://mumble.org.uk/blog/2014/03/12/gpg-and-openssl-and-curl-and-osx/ I'm a little confused... because I see that you're correct about https://sni.velox.ch in that I see an error mess

RE: Now follows SNI rules, except from curl on OSX

2015-07-03 Thread Lukas Tribus
That should have read: > The capture shows that there is *no* SNI emitted by the client. I think your > node.js SNI tests was bogus, and that curl doesn't properly support SNI > *if* the crypto library is SecureTransport instead of openssl, gnutls or > cyassl.

RE: Now follows SNI rules, except from curl on OSX

2015-07-02 Thread Lukas Tribus
> sudo tcpdump -ps0 -i eth0 -w eth0.64443.cap tcp port 64443 > > And then this on my Yosemite Mac > > curl > --insecure https://baz.example.com:64443 > > And here's the result The capture shows that there is now SNI emitted by the client. I thin

Re: Now follows SNI rules, except from curl on OSX

2015-07-02 Thread Cyril Bonté
Hi, Le 03/07/2015 04:26, AJ ONeal (Home) a écrit : Sounds like that client hello from curl@mac looks different than we expect, therefor SNI parsing fails. Can you provide the same tcpdump captures again, this time from the mac curl client that fails? I ran this on the server

Re: Now follows SNI rules, except from curl on OSX

2015-07-02 Thread AJ ONeal (Home)
> > Sounds like that client hello from curl@mac looks different > than we expect, therefor SNI parsing fails. Can you provide > the same tcpdump captures again, this time from the mac > curl client that fails? > I ran this on the server sudo tcpdump -ps0 -i eth0 -w eth0.64443.cap tcp port 644

RE: Now follows SNI rules, except from curl on OSX

2015-07-02 Thread Lukas Tribus
> But when I use curl bundled with Yosemite (or from Brew) on my macbook, > it's not switching. > > curl --insecure https://bar.example.com:64443 > Default on 1443 > > These are the versions I'm testing with: > > curl --version > curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 > Sec