28

I'm setting up Apache with several distinct SSL certificates for different domains that reside on the same server (and thus sharing the same IP address).

With Qualys SSL Test I discovered that there are clients (i.e. BingBot as of december 2013) that do not support the SNI extension.

So I'm thinking about crafting a special default web application that can gather the requests of such clients, but how can I simulate those clients?

I'm on Windows 8, with no access to Linux boxes, if that matters.

Improve this question

6 Answers 6

Reset to default
34

You can use the most commonly used SSL library, OpenSSL. Windows binaries are available to download.

openssl s_client -connect domain.com:443 command serves very well to test SSL connection from client side. It doesn't support SNI by default. You can append -servername domain.com argument to enable SNI.

Improve this answer
1
  • 22
    This is true for openssl releases 1.1.0* and earlier. In 1.1.1* builds, s_client sends the "server_name" extension by default (with whatever host was specified in the "-connect" parameter). If you don't want to send "server_name" in the newer version you have to turn it off with "-noservername".
    – Andrew
    Commented Jan 19, 2018 at 18:12
10

If you are using OpenSSL 1.1.0 or earlier version, use openssl s_client -connect $ip:$port, and OpenSSL wouldn't enable the SNI extension

If you are using OpenSSL 1.1.1, you need add -noservername flag to openssl s_client.

Improve this answer
5

Similar to openssl s_client is gnutls-cli

gnutls-cli --disable-sni www.google.com
Improve this answer
2

You could install Strawberry Perl and then use the following script to simulate a client not supporting SNI:

use strict;
use warnings;
use LWP::UserAgent;

my $ua = LWP::UserAgent->new(ssl_opts => {
    # this disables SNI
    SSL_hostname => '', 
    # These disable certificate verification, so that we get a connection even
    # if the certificate does not match the requested host or is invalid.
    # Do not use in production code !!!
    SSL_verify_mode => 0,
    verify_hostname => 0,
});

# request some data
my $res = $ua->get('https://example.com');

# show headers
# pseudo header Client-SSL-Cert-Subject gives information about the
# peers certificate
print $res->headers_as_string;

# show response including header
# print $res->as_string;

By setting SSL_hostname to an empty string you can disable SNI, disabling this line enables SNI again.

Improve this answer
1
  • Thanks for giving an answer that is cross-platform - despite the asker being on Windows.
    – Micropolis
    Commented May 20, 2022 at 14:55
1

The approach of using a special default web application simply would not work.

You can't do that because said limited clients not just open a different page, but they fail completely.

  1. Consider you have a "default" vhost which a non-SNI client will open just fine.

  2. You also have an additional vhost which is supposed to be open by an SNI-supporting client.

  3. Obviously, these two must have different hostnames (say, default.example.com and www.example.com), else Apache or nginx wouldn't know which site to show to which connecting client.

Now, if a non-SNI client tries to open https://www.example.com, he'll be presented a certificate from default.example.com, which would give him a certificate error. This is a major caveat.

A fix for this error is to make a SAN (multi-domain) certificate that would include both www.example.com and default.example.com. Then, if a non-SNI client tries to open https://www.example.com, he'll be presented with a valid certificate, but even then his Host: header would still point to www.example.com, and his request will get routed not to default.example.com but to www.example.com.

As you can see, you either block non-SNI clients completely or forward them to an expected vhost. There's no sensible option for a default web application.

Improve this answer
6
  • 2
    Downvoting. The question is how to simulate requests without sni support.
    – Wes
    Commented May 2, 2018 at 9:55
  • @Wes this isn't fair because the question is also about a special default application
    – sanmai
    Commented May 3, 2018 at 0:52
  • We actively use default applications and it doesn't cause an issue. The other hosts are in the subject alternative name. So you just can't do that is wrong. (though you do give your own work around) It still doesn't actually answer the question "but how can I simulate those clients" which is both the question title and the actual question in the question. (sorry hard to use correct english here)
    – Wes
    Commented May 3, 2018 at 10:16
  • Why should a single answer answer all questions from the original question? Is there a law or a rule?
    – sanmai
    Commented May 4, 2018 at 0:05
  • 1
    I think your taking this too seriously. Anyway as it stands the only question asked was how to simulate the clients. I've removed the Downvote but I still feel the information is slightly misleading and B doesn't answer the only question that was asked. Actually I can't remove the downvote, I did try.
    – Wes
    Commented May 4, 2018 at 8:48
1

With a Java HTTP client you can disable the SNI extension by setting the system property jsse.enableSNIExtension=false.

More here: Java TLS: Disable SNI on client handshake

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.