[BlueOnyx:26197] Re: SNI

Michael Stauber mstauber at blueonyx.it
Tue May 9 22:09:40 -05 2023 

Hi Robert,

> Okay, so a little more digging and I was able to get this to appear to 
> work on K-9 Android app. At least it doesn't complain about the cert 
> like Postbox on my desktop that shows the server cert.
> 
> So, can someone here confirm the clients they have this working on? 
> Perhaps it depends on the client.


Yeah, it sure depends on the client and also on the client configuration.

Server name: 	server.blueonyx.it
Vsite name: 	vsite.blueonyx.it

Secure IMAP runs on port 993

If the client (any client) connects to server.blueonyx.it:993? He gets 
the server certificate.

If the client connects to vsite.blueonyx.it:993? If the client supports 
SNI, he gets the Vsite SSL certificate. If the Vsite has no cert, or the 
client doesn't support SNI? Then it falls back to the server certificate.

A good and easy way to test this is via OpenSSL from the command line:

#> openssl s_client -connect <HOSTNAME>:993

That shows a lot of information, which in its mass may not be easy to 
make sense of.  So let me make the command a bit more complicated to 
make the results easier to understand:

The command below connects to 5211r1.smd.net:993 and we grep for CN in 
the output to get the "Canonical Name" of the certificate:

#> echo -n | openssl s_client -connect 5211r1.smd.net:993 | openssl x509 
-noout -text | grep CN
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5211r.smd.net
verify return:1
DONE
         Issuer: C=US, O=Let's Encrypt, CN=R3
         Subject: CN=5211r.smd.net

As you can see: We connected to 5211r1.smd.net (a Vsite on my box), 
which is hosted on 5211r.smd.net and it replied back with the 
certificate of the server (5211r.smd.net).

Because we didn't tell OpenSSL to use SNI.

How to use OpenSSL with SNI for the test?

#> openssl s_client -connect <VSITE>:993 -servername <VSITE>

So let me try this again with the more complicated command for easier 
output:

#> echo -n | openssl s_client -connect 5211r1.smd.net:993 -servername 
5211r1.smd.net | openssl x509 -noout -text | grep 5211r1.smd.net
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5211r1.smd.net
verify return:1
DONE
         Subject: CN=5211r1.smd.net
                 DNS:5211r1.smd.net

So in this case the certificate we saw was indeed for the Vsite 
(5211r1.smd.net) and NOT the server (5211r.smd.net).

Conclusion: SNI for IMAP works.

If it doesn't in your case, then I'm of course willing to take a look. 
File a "Support Reqest" via the GUI and tick "Allow Access" and in the 
comments mention the name of the Vsite where SNI for email doesn't seem 
to work for you.

This could indeed be an issue with the SNI cert configuration on the 
server, but it could also be an email client or email client 
configuration issue. I can at least check the server side of things for 
you and we can then take it from there. But generally speaking: With 
Thunderbird (on PC and Linux) as well as with K-9 on my Android phone I 
usually have no issues at all with SNI for email. So these are good 
choices, but naturally not the only ones.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list