If you get a problem with SNI while creating an SSL connection to the web server, you should follow this post to debug your case. I want to add some steps about how to debug and fix the SNI problem. SNI stands for “Server Name Indication” and it is an extension of the TLS protocol. So this extension use for verify server that you try to connect. This extension allows to servers connect multiple “SSL-Server” certificate from one IP.
Error Types for SNI Mismatch:
"Hostname <IP-DNS> provided via SNI, but no hostname provided in HTTP request
Hostname <IP-DNS> provided via SNI and hostname <DNS> provided via HTTP are different"
Step 1: How to debug SNI problem for SSL request?
It will be a good start point to analyze your SSL request. First, get tcpdump from your client and analyze the "Client Hello" package. You can use "tcpdump" command with these options to dump requests and then use Wireshark to analyze all traffics.
#tcpdump -i eth0 'host <Web_Server_IP>' -w /tmp/test.pcap
Open test.pcap file with Wireshark. Then you must set HTTP protocols port that you use to connect web servers. Apply configuration and start to analyze the "Client Hello" request.
Edit >> Preferences >> Protocols >> HTTP >> SSL/TLS Port
When you click "Client Hello" you will get all the request information. We need to check the "Secure Sockets Layer" tab. Servername extension will be added under the Handshake Protocol. Therefore, this is the key point that you have to check if your request sends information properly to your web server.
Step 2: How to fix the SNI problem for SSL request?
- If you need to define -servername extension at your SSL request, don't forget to add this servername extension to your HTTP1.0 request to. By default, HTTP1.1 will add servername parameter to the HTTP request. But HTTP1.0 not.
POST /mdpayacs/vereq HTTP/1.0
- If there is no need to add "servername" extension to the SSL request, remove it and perform test tasks again.