search

kirei / sslyze

Fast and full-featured SSL scanner
GNU General Public License v2.0
4 stars 0 forks source link

Server Name Indication (SNI) implementation #2

Open jschlyter opened 10 years ago

jschlyter commented 10 years ago

SNI should work better.

jschlyter commented 10 years ago

OpenSSL examples

openssl s_client                           -connect www.google.se:443
openssl s_client -servername www.google.se -connect www.google.se:443
openssl s_client -servername www.google.dk -connect www.google.se:443
openssl s_client -servername www.google.xx -connect www.google.se:443

sslyze examples

python sslyze.py --certinfo=full --regular --sni=www.google.se www.google.se:443
python sslyze.py --certinfo=full --regular --sni=www.google.dk www.google.se:443
python sslyze.py --certinfo=full --regular --sni=www.google.xx www.google.se:443
secworks commented 10 years ago

Fix for SNI checked into https://github.com/kirei/sslyze/commit/a6d82efb1cd3f7f0e4236467fadd0dd1edd6b06d

The behaviour in sslyze imho now matches the behaviour in openssl.

secworks commented 10 years ago

Even more fixed: https://github.com/kirei/sslyze/commit/5a4c12edde37a0d602c6f1bcfbfb14ccb47bd856

Now hostname validation fails for the google.xx example with SNI-enabled.

Another example that shows SAN-match:

python sslyze.py --certinfo=basic --sni=youtube.com www.google.se:443