How to fix SNI problem for SSL request?

If you get a problem with SNI while creating an SSL connection to the web server, you should follow this post to debug your case. I want to add some steps about how to debug and fix the SNI problem. SNI stands for “Server Name Indication” and it is an extension of the TLS protocol. So this extension use for verify server that you try to connect. This extension allows to servers connect multiple “SSL-Server” certificate from one IP.

Error Types for  SNI  Mismatch:

"Hostname <IP-DNS> provided via SNI, but no hostname provided in HTTP request

Hostname <IP-DNS> provided via SNI and hostname <DNS> provided via HTTP are different"

Step 1: How to  debug SNI  problem for SSL request?

It will be a good start point to analyze your SSL request. First, get tcpdump from your client and analyze the "Client Hello" package. You can use "tcpdump" command with these options to dump requests and then use  Wireshark to analyze all traffics.

#tcpdump  -i  eth0  'host  <Web_Server_IP>' -w  /tmp/test.pcap

Open test.pcap file with  Wireshark. Then you must set  HTTP protocols port that you use to connect web servers. Apply configuration and start to analyze the "Client  Hello" request.

Edit >> Preferences >> Protocols >> HTTP >> SSL/TLS Port

When you click  "Client Hello"  you will get all the request information. We need to check the "Secure Sockets  Layer"  tab. Servername extension will be added under the Handshake  Protocol. Therefore, this is the key point that you have to check if your request sends information properly to your web server.

Step 2: How to fix the SNI  problem for SSL request?

  • Step A:

    • If you need to define -servername extension at your  SSL request, don't forget to add this servername extension to your HTTP1.0 request to. By default, HTTP1.1  will add servername parameter to the HTTP  request. But  HTTP1.0 not.

#HTTP 1.0
POST /mdpayacs/vereq HTTP/1.0
connection: keep-alive
content-type: application/x-www-form-urlencoded
content-length: 402

  • Step B:

    • If there is no need to add  "servername"  extension to the SSL request,  remove it and perform test tasks again.

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me