On 25. Nov 8:02:17, Stuart Henderson wrote: > On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello, > > > > I'm just testing ssl interception and noticed the following problem. > > Sometimes the Subject/Subject Alternative Name of the cert is altered with > > a different name than the one the original cert has: > > When relayd connects to the server to find out what names to use in > the subject/SAN, it doesn't send the requested hostname (SNI) in > the ClientHello, so it only has the information from the server's > "default" certificate to include in the new generated certificate. > > You can see this for yourself with openssl s_client -connect hostname:443 > compared with openssl s_client -connect hostname:443 -servername hostname. >
Hello Stuart, thanks! Ok, got it. Only for my understanding: is there a reason (probably security related?) for not using the host name from ClientHello in relayd for fetching the target cert? And if not - is it planned to implement it in relayd? Thanks in advance! Regards Uwe
