Friday Oct 11, 2013

Configuring Server Name Indication (SNI) in Oracle Traffic Director 11.1.1.6 and 11.1.1.7

What is SNI ? It is explained very well in http://en.wikipedia.org/wiki/Server_Name_Indication

If your SSL server needs certificate(s) for different domains, you can choose one of the different options :
  • Use multiple certificates using SNI feature (configure server to return different certificates for different domains) - recommended
  • Use a single certificate with SubjectAltName Extension (one hostname in CN and other hostnames in SubjectAltName extension in the certificate)
  • Use a single certificate with wild card in subject (lets say certificate with "CN=*.*.oracle.com", so it will be valid for different domains) - not preferred
  • Notes

    • Unbound Virtual Server: <virtual-server> doesn't have <http-listener> as a sub element.
    • Bound Virtual Server: <virtual-server> has a <http-listener> sub element, it is said to be bound to that http listener.
    • To figure out which Virtual server is the Default Virtual Server for a listener, look at the Virtual Server name in <default-virtual-server> of <http-listener> in server.xml.

    How to configure SNI in Oracle Traffic Director

    In this blog I will cover the following

    Enable SSL on an HTTP listener and create a certificate for it. Create two Virtual Servers both bound to an HTTP listener. One of the Virtual Server contains a certificate and the other doesn't. Send SNI and non-SNI requests to those two Virtual Servers.

    Create and add certificate for the default Virtual Server(which could be unbound or bound) and add <host> element value of <host> of our Virtual Server which doesn't have a certificate. Send a SNI request to the virtual server which doesn't have a certificate, it returns certificate from the default virtual server.

    What we will find out  is

    • If SNI host is NOT sent by the browser in SSL Handshake, then the server sends the certificate from the http listener. --------- 1
    • else (i.e. if SNI host is sent by the browser in SSLHandshake)
      • If SNI Host sent by browser doesn't match with a <host> element in any of the bound Virtual server  - goto STEP 2
      • else (i.e. If SNI host sent by browser matches with <host> element of any bound Virtual Server)
        • If that Virtual Server has certificate,  the server sends the certificate from the Virtual Server. ----------- 2
        • else (that Virtual Server DOES NOT have a certificate) - goto STEP 2

    STEP 2: get the default Virtual Server for this http listener :

      • If the default virtual Server DOES NOT have a certificate, then the server sends the cert from the http listener ------- 3
      • else (i.e. If the default virtual Server has a certificate) then the server sends the cert from this default Virtual Server ------- 4

    Exercise for readers : If Virtual Server has certificate of only one Type either ECC or RSA,  but the http listener has two types of certs one each of ECC and RSA (this should not happen in ideal case), then the server will send Virtual Server's cert has OR http listener certificate depending on the cipher requested in SSL Handshake.

     Files  Contents
    sni-abc.req
    HEAD /index.html HTTP/1.1
    Host: abc
    Connection: close
     sni-anyhost.req HEAD /index.html HTTP/1.1
    Host: anyOtherValue
    Connection: close
     sni-nocertvs.req HEAD /index.html HTTP/1.1
    Host: www.nocertvs.com
    Connection: close

    TSTCLNT="tstclnt" is NSS tool to send SSL requests to the server.

    1. Install OTD

    2. Start the Origin Server

    3. Start OTD Admin Server

    4. Create self signed cert for the http listener with subject name "www.ls.com" (for easy identification) and nickname "Server-Cert"

    $INSTANCE_HOME/bin/tadm create-selfsigned-cert --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --server-name=www.ls.com --nickname=Server-Cert --key-type=rsa

    CLI201 Command 'create-selfsigned-cert' ran successfully

    5. Enable SSL and set this self signed cert with nickname "Server-Cert" in the http listener

    $INSTANCE_HOME/bin/tadm set-ssl-prop --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --http-listener=http-listener-1 enabled=true server-cert-nickname=Server-Cert

    CLI201 Command 'set-ssl-prop' ran successfully

    6. Create a Virtual Server VSabc with www.abc.com <host> in server.xml  and bind it to the http listener "http-listener-1"

    $INSTANCE_HOME/bin/tadm create-virtual-server --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --host-pattern=www.abc.com --http-listener-name=http-listener-1 --origin-server-pool-name=origin-server-pool-1 VSabc

    CLI201 Command 'create-virtual-server' ran successfully

    7. Create self signed cert for the Virtual Server with subject "www.abc.com" and nickname "abc"

    $INSTANCE_HOME/bin/tadm create-selfsigned-cert --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --server-name=www.abc.com --nickname=abc --key-type=rsa

    Command 'create-selfsigned-cert' ran successfully

    8. Set this certificate with nickname "abc" and subject "www.abc.com" in the Virtual Server "VSabc"

    $INSTANCE_HOME/bin/tadm set-virtual-server-prop --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --vs=VSabc server-cert-nickname=abc

    CLI201 Command 'set-virtual-server-prop' ran successfully

    9. Create a Virtual Server VSnocertvs with "www.nocertvs.com" <host> in server.xml

    $INSTANCE_HOME/bin/tadm create-virtual-server --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --host-pattern=www.nocertvs.com --http-listener-name=http-listener-1 --origin-server-pool-name=origin-server-pool-1 VSnocertvs

    CLI201 Command 'create-virtual-server' ran successfully

    10. Set the error log level to "finest" if you wish to see log messages are logged for SNI at all levels

    $INSTANCE_HOME/bin/tadm set-log-prop --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG log-level=finest

    CLI201 Command 'set-log-prop' ran successfully

    11. Deploy these changes

    $INSTANCE_HOME/bin/tadm deploy-config --force --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd $CONFIG

    CLI201 Command 'deploy-config' ran successfully

    12. Start the server instance

    $INSTANCE_HOME/bin/tadm start-instance --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG

    CLI204 Successfully started the server instance.

    Testing using tstclnt / Browser

    13. Just for testing add www.abc.com  and www.nocertvs.com entries in /etc/hosts.

    cat /etc/hosts | grep www.abc.com
    cat /etc/hosts | grep www.nocertvs.com

    Ideally your DNS server must resolve these hosts to the same IP address we are using in OTD http listener.

    14. Send a request via tstclnt with -a "www.abc.com"(sends this host in SSL handshake) and in request headers Host: "www.abc.com" - should get cert from the Virtual Server VSabc with subject  DN "CN=www.abc.com"

    $TSTCLNT -c y -h $HOST -d $INSTANCE_HOME/https-$CONFIG/config -n Server-Cert -o -p $TD_PORT -2 -a www.abc.com < $DEMO_DIR/sni-abc.req

    15. Send a request via tstclnt with -a "www.nocertvs.com"(sends this host in SSL handshake) and in request headers Host: "www.nocertvs.com" - should get cert from the http listener with subject DN "CN=www.ls.com" as Virtual Server VSnocertvs with <host> www.nocerts.com doesn't have any certs.

    $TSTCLNT -c y -h $HOST -d $INSTANCE_HOME/https-$CONFIG/config -n Server-Cert -o -p $TD_PORT -2 -a www.nocertvs.com < $DEMO_DIR/sni-nocertvs.req

    16. Send a NON SNI request via tstclnt i.e. WITHOUT any host in SSL Handshake - should get the cert from the http listener with subject DN "CN=www.ls.com"

    $TSTCLNT -c y -h $HOST -d $INSTANCE_HOME/https-$CONFIG/config -n Server-Cert -o -p $TD_PORT -2 < $DEMO_DIR/sni-anyhost.req

    Summary

    • If SNI host is NOT sent by the browser in SSL Handshake, then the cert is returned from http listener.
    • If SNI host is sent by the browser in SSLHandshake and it matches with <host> element in Virtual Server, cert is returned from that Virtual Server.
    • If SNI host is sent by the browser in SSLHandshake and it matches <host> element in Virtual Server which doesn't have any certificates, certificate is returned from that http listener. - This gets a bit more complicated with Default virtual servers, will discuss in the next section.

    Advanced - Default Virtual Server tests

    17. Stop the instance

    $INSTANCE_HOME/bin/tadm stop-instance --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG

    CLI205 Successfully stopped the server instance.

    18. Create self signed cert with subject "www.defaultvscert.com" for the Default Virtual Server (Virtual Server in <default-virtual-server> of http-listener in server.xml i.e. in our case it is Virtual server with vs name $CONFIG)

    $INSTANCE_HOME/bin/tadm create-selfsigned-cert --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --server-name=www.defaultvscert.com --nickname=defaultvscert --key-type=rsa

    CLI201 Command 'create-selfsigned-cert' ran successfully

    19. Set this certificate with subject "www.defaultvscert.com" in the Default Virtual Server (vs name $CONFIG)

    $INSTANCE_HOME/bin/tadm set-virtual-server-prop --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG --vs=$CONFIG server-cert-nickname=defaultvscert

    CLI201 Command 'set-virtual-server-prop' ran successfully

    20. Deploy the changes

    $INSTANCE_HOME/bin/tadm deploy-config --force --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd $CONFIG

    CLI201 Command 'deploy-config' ran successfully

    21. Start the instance

    $INSTANCE_HOME/bin/tadm start-instance --user=admin --port=$TD_ADMIN_PORT --password-file=$DEMO_DIR/admin.passwd --config=$CONFIG

    CLI204 Successfully started the server instance.

    22. Send a request via tstclnt with -a "www.nocertvs.com"(sends this host in SSL handshake) and in request headers Host: "www.nocertvs.com" - should get cert from default virtual server subject DN: CN=www.defaultvscert.com"

    $TSTCLNT -c y -h $HOST -d $INSTANCE_HOME/https-$CONFIG/config -n Server-Cert -o -p $TD_PORT -2 -a www.nocertvs.com < $DEMO_DIR/sni-nocertvs.req

    Summary

    If SNI host is sent by the browser in SSL Handshake,

    • look for every Virtual Server bound to that http listener if it has <host> element whose value matches with it,
      • if that VS has certs - return cert from this VS.
      • if that VS doesnt have any certs, then
        • get the default Virtual Server(default-virtual-server>) for this http listener(it may be bound or it may be unbound),
          • if default VS has a certificate - return cert from this default VS
          • else  - return the certificates form http listener.

    FLOW CHART OF SNI


Thursday Mar 31, 2011

SNI and bench marking tools - ab and siege

SNI and bench marking tools - ab and siege

I wanted to do some performance measurements on some SNI server using some too. I evaluated two tools.

1. "ab" (Apache HTTP server benchmarking tool)

So I have to build "ab" so that it takes HTTPS URL and not just HTTP URL and sends TLS SNI extension in SSL handshake.

1.1. Download OpenSSL and Apache source code

I downloaded OpenSSL source code (openssl-1.0.0d.tar) from http://www.openssl.org/source/ and Apache source code from http://httpd.apache.org/ (httpd-2.3.11-beta.tar and httpd-2.3.11-beta-deps.tar).

But I had to make the following two changes in Apache code.

1.2. Modify configure.in

$diff configure.in configure.in.ORIGINAL
611,614d610
< if test "$enable_ssl" != "no"; then
<   APR_ADDTO(DEFS, "-DAB_USE_SSL")
< fi
<

I took these changes from http://www.mail-archive.com/dev@httpd.apache.org/msg25661.html

1.3. Modify support/ab.c

First I tried  calling the function SSL_set_tlsext_host_name(c->ssl, host_field); but it gave undefined symbol error, so I used SSL_ctrl function instead.

$diff ab.c ab.c.orig
184d183
< #include <openssl/tls1.h> /\* for TLSEXT_NAMETYPE_host_name \*/
1182d1180
<
1244,1245d1241
<         SSL_ctrl(c->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, host_field);
< 

1.4. Building and Installing OpenSSL and Apache

I built and installed OpenSSL and Apache as given in

http://www.linuxquestions.org/questions/linux-server-73/openssl-support-for-sni-and-tls-799387/#10


OpenSSL :

$./config --prefix=/usr/local --openssldir=/usr/local/openssl enable-tlsext shared
$make && make install


Apache :

$LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include/ ./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local/
$make && make install

1.5. Send a test request using "ab" and confirm using ssltap

Set LD_LIBRARY_PATH to the OpenSSL directory (containing libssl.so) :

    $export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

Confirm that ab -help shows "http[s]" in the usage as shown below :

   $/usr/local/apache2/bin/ab -help

   Usage: ./ab [options] [http[s]://]hostname[:port]/path

Now send a single request and route it to the server using ssltap to confirm if "ab" is working fine :

$./ab -n 1 -c 1 -f TLS1 https://www.foo.com:1924/abc.html

ssltap output shows that the server name "www.foo.com"  was sent in SSL Handshake :


$ssltap -s -l -p 1924 foo.com:port

--> [
  (230 bytes of 225)
  SSLRecord { [Thu Mar 31 19:43:21 2011]
     type    = 22 (handshake)
     version = { 3,1 }
     length  = 225 (0xe1)
     handshake {
        type = 1 (client_hello)
        length = 221 (0x0000dd)
           ClientHelloV3 {
              client_version = {3, 1}
              random = {...}
              session ID = {
                  length = 0
                  contents = {...}
              }
              cipher_suites[46] = {

...             } ...             extensions[88] = {

 extension type server_name, length [16] = {

  0: 00 0e 00 00  ... 2e 63 6f 6d  | .....www.foo.com } ...


2. siege

Downloaded  siege-2.70.tar.gz from ftp://ftp.joedog.org/pub/siege/siege-2.70.tar.gz

$gunzip siege.tar.gz

$tar -xvf siege.tar

$cd siege-2.70

Make these code changes

$diff client.c client.c.orig
292c292
<     if (SSL_initialize(C, U->hostname)==FALSE) {
---
>     if (SSL_initialize(C)==FALSE) {

$diff ssl.h ssl.h.orig
52c52
< BOOLEAN SSL_initialize(CONN \*C, const char \*servername);
---
> BOOLEAN SSL_initialize(CONN \*C);

$diff ssl.c ssl.c.orig
43d42
< #include <tls1.h>
67c66
< SSL_initialize(CONN \*C, const char \*servername)
---
> SSL_initialize(CONN \*C)
137,138d135
<   SSL_ctrl(C->ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME,
<            TLSEXT_NAMETYPE_host_name, servername);

Build and install siege :

$./configure --with-ssl=/usr/local/


$make

$make install

$export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

Run siege

$/usr/local/bin/siege -c 10 -t1M https://www.foo.com:3333/index.html

you can confirm that siege sent SNI TLS extension using ssltap.

3. References

Monday Jan 17, 2011

What's new in NSS 3.12.\* - Server Name Indication (SNI) callback

What's new in NSS 3.12.\* - Server Name Indication (SNI) callback

When a request comes in to a web server, it sends the domain name in the Host header.

"GET /test.html HTTP/1.0

Host: abc.com"

by the time any web server parses it, its too late to send the appropriate certificate as it was already sent in the SSL Handshake. As per RFC4366, we now have a new extension in Handshake with which client can tell server the required domain. So the server can send appropriate certificate in the handshake.

In a Web Server, we can configure only one certificate of a type (ECC/RSA etc.) per HTTP listener using SSL_ConfigureSecureServer(fd...) call. If the server has to be used for one more domain, we need to regenerate the certificate with that domain in Subject Alternate Names. But with Server Name Indication (SNI) extension, we can register, more than one certificates (of a particular type) per HTTP listener.

In NSS 3.12.6 a new SNI callback was added as a part of bug 360421. Any Server which uses NSS can set this callback function (similar to what is shown in selfserv.c#1709) and write its implementation to send appropriate SNI certificate at runtime.

I used two binaries bundled with NSS selfserv and tstclnt to see what is happening. (I have used NSS 3.12.8)

Create two server certificates "www.foo.com" and "www.bar.com"

$certutil -N -d .
$certutil -S -x -n www.foo.com -s "CN=www.foo.com" -t CTu,u,u -d .
$certutil -S -x -n www.bar.com -s "CN=www.bar.com" -t CTu,u,u -d .

start the server

$selfserv -D -B -s -p 4443  -n www.foo.com  -r -a www.bar.com -d .

Where
-D => disable Nagle delays in TCP
-B => bypasses the PKCS11 layer
-s => disable SSL socket locking
-n  rsa_cert_nickname
-a is used to configure server for SNI. [-a sni_cert_nickname]
-r => request, not require, cert on initial handshake.

create sslreq.cat

$cat > req.dat  
GET /test.html HTTP/1.0

 


Now send a request asking for domain "www.bar.com"

$tstclnt -p 4443 -h www.foo.com -f -d  . -n www.foo.com  -2 -a www.bar.com  < sslreq.dat

where
-n => Nickname of key & cert for client auth (use www.foo.com  for now)
-a => Send different SNI name. [-a 1st_handshake_sni_cert_name]

We get : 

subject DN: CN=www.bar.com
issuer  DN: CN=www.bar.com
0 cache hits; 1 cache misses, 0 cache not reusable
0 stateless resumes
HTTP/1.0 200 OK
Server: Generic Web Server
Date: Tue, 26 Aug 1997 22:10:05 GMT
Content-type: text/plain
GET /test.html HTTP/1.0
EOF

As you can see, the server returned the certificate for "www.bar.com"

To know what's happening look at the ssltap output (use -c z in selfserv and tstclnt both):

$ssltap -l -s -p 1925 foo:4443
Connection #1 [Mon Jan 17 14:51:12 2011]
Connected to foo:4443
--> [
(74 bytes of 69)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 69 (0x45)
   handshake {
      type = 1 (client_hello)
      length = 65 (0x000041)
         ClientHelloV3 {
            client_version = {3, 1}
            random = {...}
            session ID = {
                length = 0
                contents = {...}
            }
            cipher_suites[2] = {
                (0x00ff) ????/????????/?????????/???
                (0x0002) SSL3/RSA/NULL/SHA
            }
            compression[1] = {
                (00) NULL
            }
  extensions[20] = {
  extension type server_name, length [16] = {
   0: 00 0e 00 00  0b 77 77 77  2e 62 61 72  2e 63 6f 6d  | .....www.bar.com
              }
            }
         }
   }
}
]
<-- [
(590 bytes of 585)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 585 (0x249)
   handshake {
      type = 2 (server_hello)
      length = 81 (0x000051)
         ServerHello {
            server_version = {3, 1}
            random = {...}
            session ID = {
                length = 32
                contents = {...}
            }
            cipher_suite = (0x0002) SSL3/RSA/NULL/SHA
            compression method = (00) NULL
            extensions[9] = {
              extension type 65281, length [1] = {
   0: 00                    | .
              }
              extension type server_name, length [0]
            }
         }
      type = 11 (certificate)
      length = 430 (0x0001ae)
         CertificateChain {
            chainlength = 427 (0x01ab)
            Certificate {
               size = 424 (0x01a8)
               data = { saved in file 'cert.001' }
            }
         }
      type = 13 (certificate_request)
      length = 58 (0x00003a)
         CertificateRequest {
            certificate types[3] = { 01 02 40 }
            certificate_authorities[52] = {
CN=www.bar.com
   CN=www.foo.com
            }
         }
      type = 14 (server_hello_done)
      length = 0 (0x000000)
   }
}
]
--> [
(754 bytes of 702, with 47 left over)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 702 (0x2be)
   handshake {
      type = 11 (certificate)
      length = 430 (0x0001ae)
         CertificateChain {
            chainlength = 427 (0x01ab)
            Certificate {
               size = 424 (0x01a8)
               data = { saved in file 'cert.002' }
            }
         }
      type = 16 (client_key_exchange)
      length = 130 (0x000082)
         ClientKeyExchange {
            message = {...}
         }
      type = 15 (certificate_verify)
      length = 130 (0x000082)
   }
}
(754 bytes of 1, with 41 left over)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 20 (change_cipher_spec)
   version = { 3,1 }
   length  = 1 (0x1)
}
(754 bytes of 36)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 36 (0x24)
   handshake {
      type = 20 (finished)
      length = 12 (0x00000c)
         Finished {
            verify_data = {...}
         }
   }
      MAC = {...}
}
]
<-- [
(47 bytes of 1, with 41 left over)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 20 (change_cipher_spec)
   version = { 3,1 }
   length  = 1 (0x1)
}
(47 bytes of 36)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 36 (0x24)
   handshake {
      type = 20 (finished)
      length = 12 (0x00000c)
         Finished {
            verify_data = {...}
         }
   }
      MAC = {...}
}
]
--> [
(50 bytes of 45)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 23 (application_data)
   version = { 3,1 }
   length  = 45 (0x2d)
   0: 47 45 54 20  2f 74 65 73  74 2e 68 74  6d 6c 20 48  | GET /test.html H
  10: 54 54 50 2f  31 2e 30 0a  0a                        | TTP/1.0..
      MAC = {...}
}
]
<-- [
(196 bytes of 164, with 27 left over)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 23 (application_data)
   version = { 3,1 }
   length  = 164 (0xa4)
   0: 48 54 54 50  2f 31 2e 30  20 32 30 30  20 4f 4b 0d  | HTTP/1.0 200 OK.
  10: 0a 53 65 72  76 65 72 3a  20 47 65 6e  65 72 69 63  | .Server: Generic
  20: 20 57 65 62  20 53 65 72  76 65 72 0d  0a 44 61 74  |  Web Server..Dat
  30: 65 3a 20 54  75 65 2c 20  32 36 20 41  75 67 20 31  | e: Tue, 26 Aug 1
  40: 39 39 37 20  32 32 3a 31  30 3a 30 35  20 47 4d 54  | 997 22:10:05 GMT
  50: 0d 0a 43 6f  6e 74 65 6e  74 2d 74 79  70 65 3a 20  | ..Content-type:
  60: 74 65 78 74  2f 70 6c 61  69 6e 0d 0a  0d 0a 47 45  | text/plain....GE
  70: 54 20 2f 74  65 73 74 2e  68 74 6d 6c  20 48 54 54  | T /test.html HTT
  80: 50 2f 31 2e  30 0a 0a 45  4f 46 0d 0a  0d 0a 0d 0a  | P/1.0..EOF......
      MAC = {...}
}
(196 bytes of 22)
SSLRecord { [Mon Jan 17 14:51:12 2011]
   type    = 21 (alert)
   version = { 3,1 }
   length  = 22 (0x16)
   warning: close_notify
      MAC = {...}
}
]

 Note that the client sent "www.bar.com" to the server in the extension.

Also that server sends the certificate (cert.001) i.e. "www.bar.com"  to the client.  

$openssl x509  -in cert.001 -text -inform DER

Certificate:

    Data:

        Version: 3 (0x2)

        Issuer: CN=www.bar.com

        Subject: CN=www.bar.com

And the client sends the certificate (cert.002) i.e. "www.foo.com"  to the server.

$openssl x509  -in cert.002 -text -inform DER

Certificate:

    Data:

        Version: 3 (0x2)

        Issuer: CN=www.foo.com

        Subject: CN=www.foo.com

Now send a request asking for domain "www.domain-not-found.com", the server is unable to find a certificate registered for such a domain and hence returns error. This behavior will vary from server to server depending on the implementation. 

$tstclnt -p 4443 -h www.foo.com -f -d  . -n www.foo.com  -2 -a "www.domain-not-found.com"  < sslreq.dat

 We get the error :

 tstclnt: write to SSL socket failed: SSL peer has no certificate for the requested DNS name

For this case, ssltap output shows an "unrecognize_name" alert (use -c z in selfserv and tstclnt):

$ssltap -l -s -p 1925 foo:4443
Connection #1 [Mon Jan 17 14:49:28 2011]
Connected to foo:4443
--> [
(87 bytes of 82)
SSLRecord { [Mon Jan 17 14:49:28 2011]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 82 (0x52)
   handshake {
      type = 1 (client_hello)
      length = 78 (0x00004e)
         ClientHelloV3 {
            client_version = {3, 1}
            random = {...}
            session ID = {
                length = 0
                contents = {...}
            }
            cipher_suites[2] = {
                (0x00ff) ????/????????/?????????/???
                (0x0002) SSL3/RSA/NULL/SHA
            }
            compression[1] = {
                (00) NULL
            }
            extensions[33] = {
              extension type server_name, length [29] = {
  0: 00 1b 00 00  18 77 77 77  2e 64 6f 6d  61 69 6e 2d| .....www.domain-
 10: 6e 6f 74 2d  66 6f 75 6e  64 2e 63 6f  6d  | not-found.com
              }
            }
         }
   }
}
]
<-- [
(7 bytes of 2)
SSLRecord { [Mon Jan 17 14:49:28 2011]
   type    = 21 (alert)
   version = { 3,1 }
   length  = 2 (0x2)
   fatal: unrecognized_name
}
]
 
  

Looks like j2SE SNI client side support was integrated in J2SE 7 b118 CR6985179 To support Server Name Indication extension for JSSE client.

 Browsers that support TLS SNI

Refer http://en.wikipedia.org/wiki/Server_Name_Indication#Support for a full list. Some of these browsers are :

  • Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8.
  • Mozilla Firefox 2.0 or later
  • Google Chrome (Vista or higher. XP on Chrome 6 or newer. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
  • Safari 2.1 or later (Mac OS X 10.5.6 or higher and Windows Vista or higher)

References

About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today