stunnel client uses improper SNI when talking to Apache
- by Huckle
I have stunnel listening on port 80 and acting as a client connecting to Apache listening on port 443. Configuration is below. What I'm finding is that if I attempt to connect to localhost:80 the connection is fine but if I connect to 127.0.0.1:80
When I check Apache's logs it indicates that stunnel is using localhost as the SNI both times, but the HTTP request lists localhost in one case and 127.0.0.1 in another. Is it possible to tell stunnel to either use whatever is in the HTTP request or to somehow configure two clients each with different SNI values?
stunnel.conf:
debug = 7
options = NO_SSLv2
[xmlrpc-httpd]
client = yes
accept = 80
connect = 443
Apache error.log:
[error] Hostname localhost provided via SNI and hostname 127.0.0.1 provided via HTTP are different
Apache access.log:
"GET / HTTP/1.1" 200 2138 "-" "Wget/1.13.4 (linux-gnu)"
"GET / HTTP/1.1" 400 743 "-" "Wget/1.13.4 (linux-gnu)"
wget:
$wget -d localhost
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: localhost
Connection: Keep-Alive
---request end---
$wget -d 127.0.0.1
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: 127.0.0.1
Connection: Keep-Alive
---request end---
edit:
Apache Config
Nothing out of the ordinary, it's just a virtual host listening to 443
<VirtualHost *:443>