advertising the hostname connecting to

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Feb 5 16:39:09 EST 2014


On 02/05/2014 09:49 PM, Thomas Glanzmann wrote:
> Hello Nikos,
> 
>> It seems that sniproxy is a viable method to multiplex [0] ocserv with
>> another web server over port 443. However, it seems that openconnect
>> doesn't advertise the hostname it is connecting to on the client
>> hello.  Would you be interested on a patch to make openconnect use
>> SNI?
> 
> I thought about the same thing last weekend and also stumbled across
> sniproxy. However I would love to see sniproxy functionality be
> implemented in nginx and already though about doing that.
> 
> I also wanted to sniff if anyconnect does advertise the hostname because
> currently this my main usage scenario.

That would be nice to know. Given however that cisco's clients are based
on very old openssl version I wouldn't bet on that. However you could
rely on the fact that most browsers do use SNI so you can have the
fallback to be the vpn server.

regards,
Nikos




More information about the openconnect-devel mailing list