[BlueOnyx:26197] Re: SNI
Michael Stauber
mstauber at blueonyx.it
Tue May 9 22:09:40 -05 2023
Hi Robert,
> Okay, so a little more digging and I was able to get this to appear to
> work on K-9 Android app. At least it doesn't complain about the cert
> like Postbox on my desktop that shows the server cert.
>
> So, can someone here confirm the clients they have this working on?
> Perhaps it depends on the client.
Yeah, it sure depends on the client and also on the client configuration.
Server name: server.blueonyx.it
Vsite name: vsite.blueonyx.it
Secure IMAP runs on port 993
If the client (any client) connects to server.blueonyx.it:993? He gets
the server certificate.
If the client connects to vsite.blueonyx.it:993? If the client supports
SNI, he gets the Vsite SSL certificate. If the Vsite has no cert, or the
client doesn't support SNI? Then it falls back to the server certificate.
A good and easy way to test this is via OpenSSL from the command line:
#> openssl s_client -connect <HOSTNAME>:993
That shows a lot of information, which in its mass may not be easy to
make sense of. So let me make the command a bit more complicated to
make the results easier to understand:
The command below connects to 5211r1.smd.net:993 and we grep for CN in
the output to get the "Canonical Name" of the certificate:
#> echo -n | openssl s_client -connect 5211r1.smd.net:993 | openssl x509
-noout -text | grep CN
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5211r.smd.net
verify return:1
DONE
Issuer: C=US, O=Let's Encrypt, CN=R3
Subject: CN=5211r.smd.net
As you can see: We connected to 5211r1.smd.net (a Vsite on my box),
which is hosted on 5211r.smd.net and it replied back with the
certificate of the server (5211r.smd.net).
Because we didn't tell OpenSSL to use SNI.
How to use OpenSSL with SNI for the test?
#> openssl s_client -connect <VSITE>:993 -servername <VSITE>
So let me try this again with the more complicated command for easier
output:
#> echo -n | openssl s_client -connect 5211r1.smd.net:993 -servername
5211r1.smd.net | openssl x509 -noout -text | grep 5211r1.smd.net
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5211r1.smd.net
verify return:1
DONE
Subject: CN=5211r1.smd.net
DNS:5211r1.smd.net
So in this case the certificate we saw was indeed for the Vsite
(5211r1.smd.net) and NOT the server (5211r.smd.net).
Conclusion: SNI for IMAP works.
If it doesn't in your case, then I'm of course willing to take a look.
File a "Support Reqest" via the GUI and tick "Allow Access" and in the
comments mention the name of the Vsite where SNI for email doesn't seem
to work for you.
This could indeed be an issue with the SNI cert configuration on the
server, but it could also be an email client or email client
configuration issue. I can at least check the server side of things for
you and we can then take it from there. But generally speaking: With
Thunderbird (on PC and Linux) as well as with K-9 on my Android phone I
usually have no issues at all with SNI for email. So these are good
choices, but naturally not the only ones.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list