advertising the hostname connecting to
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Feb 5 17:04:15 EST 2014
On 02/05/2014 08:49 PM, David Woodhouse wrote:
>> Hello,
>> It seems that sniproxy is a viable method to multiplex [0] ocserv with
>> another web server over port 443. However, it seems that openconnect
>> doesn't advertise the hostname it is connecting to on the client hello.
>> Would you be interested on a patch to make openconnect use SNI?
> As long as it doesn't offend the stupider firewalls that some people put
> in front of their ASAs, sure.
I've added it in:
git://gitorious.org/openconnect-x/openconnect-x.git sni
It is followed by two commits that will reduce the size of the client
hello to compensate for the increase. One removes support for DHE-DSS
(the number of DSA certificates on the Internet could be counted on the
fingers of a single hand - according to an old study by SSL
observatory). The other removes the OCSP status request and session
ticket extensions that are not being used by openconnect.
regards,
Nikos
More information about the openconnect-devel
mailing list