How to simulate non-SNI browsers (without SNI support)?

I'm setting up Apache with several distinct SSL certificates for different domains that reside on the same server (and thus sharing the same IP address).

With Qualys SSL Test I discovered that there are clients (i.e. BingBot as of december 2013) that do not support the SNI extension.

So I'm thinking about crafting a special default web application that can gather the requests of such clients, but how can I simulate those clients?

I'm on Windows 8, with no access to Linux boxes, if that matters.

6 Answers

You can use the most commonly used SSL library, OpenSSL. Windows binaries are available to download.

openssl s_client -connect domain.com:443 command serves very well to test SSL connection from client side. It doesn't support SNI by default. You can append -servername domain.com argument to enable SNI.

1

If you are using OpenSSL 1.1.0 or earlier version, use openssl s_client -connect $ip:$port, and OpenSSL wouldn't enable the SNI extension

If you are using OpenSSL 1.1.1, you need add -noservername flag to openssl s_client.

Similar to openssl s_client is gnutls-cli

gnutls-cli --disable-sni 

You could install Strawberry Perl and then use the following script to simulate a client not supporting SNI:

use strict;
use warnings;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new(ssl_opts => { # this disables SNI SSL_hostname => '', # These disable certificate verification, so that we get a connection even # if the certificate does not match the requested host or is invalid. # Do not use in production code !!! SSL_verify_mode => 0, verify_hostname => 0,
});
# request some data
my $res = $ua->get(');
# show headers
# pseudo header Client-SSL-Cert-Subject gives information about the
# peers certificate
print $res->headers_as_string;
# show response including header
# print $res->as_string;

By setting SSL_hostname to an empty string you can disable SNI, disabling this line enables SNI again.

1

The approach of using a special default web application simply would not work.

You can't do that because said limited clients not just open a different page, but they fail completely.

  1. Consider you have a "default" vhost which a non-SNI client will open just fine.

  2. You also have an additional vhost which is supposed to be open by an SNI-supporting client.

  3. Obviously, these two must have different hostnames (say, default.example.com and ), else Apache or nginx wouldn't know which site to show to which connecting client.

Now, if a non-SNI client tries to open , he'll be presented a certificate from default.example.com, which would give him a certificate error. This is a major caveat.

A fix for this error is to make a SAN (multi-domain) certificate that would include both and default.example.com. Then, if a non-SNI client tries to open , he'll be presented with a valid certificate, but even then his Host: header would still point to , and his request will get routed not to default.example.com but to .

As you can see, you either block non-SNI clients completely or forward them to an expected vhost. There's no sensible option for a default web application.

6

With a Java HTTP client you can disable the SNI extension by setting the system property jsse.enableSNIExtension=false.

More here: Java TLS: Disable SNI on client handshake

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like