Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What does the server block for 443 with no SNI look like?

I wasn't aware that one could test for the existence of SNI in the server block.



  server {
      listen {replace_with_some_ip} ssl;
      listen {replace_with_some_ipv6} ssl;

      ssl_certificate /etc/ssl/snakeoil.pem;
      ssl_certificate_key /etc/ssl/snakeoil.key;

      server_name _ {replace_with_some_ip} {replace_with_some_ipv6};

      return 444;
  }
Should catch all TLS connections that have no SNI or try to connect straight with just IP and if snakeoil is generated right then it doesn't instantly reveal what's the real hostname.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: