EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SNI with SimpleSSLClient

Posted: 09/16/2013 07:34:45
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24


i am using SSLClient to read the server certificates to perform an custom ssl check.

My problem is, I cant find a way to enable SNI.

var client = new TElSimpleSSLClient();
client.OnCertificateValidate += this.OnCertificateValidate;
client.Address = this.hostname;
client.Port = 443;

There must be a way to set the hostname, because our testsystem hosts several tenants with different certificates.

With the code above the wrong certificate is delivered (always the first one).

There is a client.Extensions.ServerName property, but it looks like it's not possible to add the hostname.

So how can this be done?


Posted: 09/16/2013 07:45:15
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

You can turn SNI on next way:

1) set TElSimpleSSLClient.Extensions.ServerName.Enabled to 'true';
2) execute next code:

TElSimpleSSLClient client = new TElSimpleSSLClient();
int idx = client.Extensions.ServerName.Add();
client.Extensions.ServerName.Names[idx].NameType = TSBSSLServerNameType.ntHostName;
client.Extensions.ServerName.Names[idx].Name = 'host_name';
Posted: 09/16/2013 08:08:17
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

Thank you for this fast reply!

The ServerName object doesnt have a Names Collection. I am using SSHBlackbox on Windows Phone8.

I tried it this way. Is the code ok? It doesnt work. I am setting the hostname to the expected host without https:// or anything.

client.Extensions.ServerName.Enabled = true;
int idx = client.Extensions.ServerName.Add();
var name = client.Extensions.ServerName.get_Names(idx);

name.Name = this.hostname;
name.NameType = TSBSSLServerNameType.ntHostName;

Posted: 09/16/2013 08:26:20
by Ken Ivanov (Team)

Hello Kreissl,

You are doing everything correctly. C# does not support indexed properties, so one should use the get_Names() method instead of the Names[] collection if using this language.

First of all, please try to enable TLS1.1 version explicitly if you are not doing it already. Some servers only support extensions if negotiating a TLS1.1 or TLS1.2 version. If enabling TLS1.1 doesn't help, please try enabling TLS1.2 as well.

Next, the server might be sensitive to the presence of subdomains in the host name. If the host name you are assigning to the name.Name property contains a subdomain (typically, 'www.'), please try to remove it from the host name and check if anything changes. And the other way round, if you are NOT passing subdomain name at the moment, please try passing it.
Posted: 09/16/2013 09:54:39
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

Ok ty. But how can I set the TLS version explicitly?

The servername is something like mm.mandant1.mydomain.eu..
Posted: 09/16/2013 10:02:06
by Ken Ivanov (Team)

You can add TLS1.1 to the supported version list in the following way. Note that you should set them before calling the Open() method:

client.Versions = (short) (client.Versions + SBSSLConstants.Unit.sbTLS11);

BTW, did you have a chance to check whether your server works with different clients that support SNI?
Posted: 09/16/2013 10:40:55
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

Yes we use SNI with android accessing the server successfully. The sniffer says its TLS 1.0 (but could by the organization proxy between too).

But anyway.. I can't set the version because i get this exception:

{SBSSLCommon.EElSecureClientError: Cannot support SSL 3.0 and TLS 1.1 and not support TLS 1.0
at SBSSLClient.TElSSLClient.SSLNegotiate(Boolean Value)
at SBSSLClient.TElSSLClient.Open()
at SBSimpleSSL.TElCustomSimpleSSLClient.Open()
at Services.CertValidationService.SslConnect()}

What does cannot support mean in this context?
Posted: 09/16/2013 11:28:37
by Ken Ivanov (Team)

This means that you should enable TLS1.0 as well, and this actually explains everything - the component can't use extensions if TLS1.0 is disabled. Please use the following code to enable TLS1.0:

client.Versions = (short) (client.Versions + SBSSLConstants.Unit.sbTLS1);
Posted: 09/16/2013 11:32:28
by Eugene Mayevski (Team)

Also you need to notice, that the server can send more than one certificate and OnCertificateValidate is triggered for each certificate one by one. And it's possible that some CA certificate is sent before the end-entity certificate.

So you need to check all received certificates rather than abort the check on the first one.

Sincerely yours
Eugene Mayevski
Posted: 09/16/2013 11:58:17
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

The exceptions said "Cannot support SSL 3.0 and TLS 1.1 and not support TLS 1.0"
That means it doesnt support it or? I used already the code you wrote:

client.Versions = (short)(client.Versions + SBSSLConstants.Unit.sbTLS1);

This line of code caused the exception... So did I understand something wrong?

To your second answer. Yes I know. I fetch all certificates and i am checkin the correct one..



Topic viewed 2914 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!