How to troubleshoot SNI enabled endpoints with curl and openssl

Follow
Table of Contents

Issue

A modern webserver hosting or proxying to multiple backend domain names will often be configured to use SNI (Server Name Indication).

SNI allows multiple SSL-protected domains to be hosted on the same IP address, and is commonly used in Kubernetes with ingress controllers, for example, the nginx ingress controller.

As the SNI extension requires a slight change to the conversation between client and server - the hostname must be provided in the Hello message to correctly access the associated domain name.

This can present an issue when troubleshooting a node or pod directly, where an IP address is used.

Pre-requisites

  • The curl and/or openssl command installed
  • Network access to the endpoint you wish to troubleshoot

Steps

To perform an SNI-compliant request using an IP address, use the following commands replacing the domain name and IP address.

  • Using the curl command:
curl -v --resolve domain.com:443:<ip address> https://domain.com
  • Using openssl can be useful to obtain details about the certificate configured:
openssl s_client -showcerts -servername domain.com -connect <ip address>:443

Further reading

More information on SNI can be found here.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.