--tls-sni is not working

[endreszabo]

I had to --pipe an openssl s_client as the swaks argument --tls-sni does not seem to work. The connection opens, TLS handshake is successful, but without any SNI header sent in TLS Client Hello.

This works:

$ swaks --pipe 'openssl s_client -connect somehost.example.com:443 -servername somehost.example.com -quiet' ...ordinary arguments follow

This does not (LB redirects to a HTTP server if SNI is not given):

$ swaks -s somehost.example.com:443 -tls -tlsp tlsv1_3 -p 443 --tls-sni somehost.example.com ...ordinary arguments follow
=== Trying somehost.example.com:443...
=== Connected to somehost.example.com.
<** HTTP/1.1 408 Request Time-out
<** content-length: 110
<** cache-control: no-cache
<** content-type: text/html
<** connection: close
<** 
<** <html><body><h1>408 Request Time-out</h1>
<** Your browser didn't send a complete request in time.
<** </body></html>

[jetmore]

@endreszabo I'm having a hard time with this. I have a simple test server written in perl that reads the SNI (if provided) and prints it out, and that appears to be working. Given that this is a random string that is only referenced in the client SNI, it's hard to understand how the server could be printing it out any other way than via SNI working.

Oh, I think I see it - unless you tell it otherwise, s_client negotiates TLS before anything else (like https). Swaks is the opposite - unless you specify, it attempts to use smtps, i which a basic smtp connection is negotiated up into TLS-encrypted.

Long story short, use --tlsc instead of --tls and it will probably work

[endreszabo]

Thanks for your reply. Eventually I did not use --tlsc. For the record I'm using swak together with piped OpenSSL as per the following:

swaks --pipe 'openssl s_client -connect "$servername:443" -servername "$servername"' ...more-args...

The upside of this that this way I see a very detailed TLS negotiation output from OpenSSL. And pretty much that's it.

Keep up the good work!