How to simulate non-SNI browsers (without SNI support)?

disable sni
ssl sni value
schannel using ip address sni is not supported by os
curl disable sni extension
host does not match sni
ssl sni value and the http host header
how to check if sni is enabled
disabling hostname validation also disables sni

I'm setting up Apache with several distinct SSL certificates for different domains that reside on the same server (and thus sharing the same IP address).

With Qualys SSL Test I discovered that there are clients (i.e. BingBot as of december 2013) that do not support the SNI extension.

So I'm thinking about crafting a special default web application that can gather the requests of such clients, but how can I simulate those clients?

I'm on Windows 8, with no access to Linux boxes, if that matters.

You can use the most commonly used SSL library, OpenSSL. Windows binaries are available to download.

openssl s_client -connect domain.com:443 command serves very well to test SSL connection from client side. It doesn't support SNI by default. You can append -servername domain.com argument to enable SNI.

How to simulate non-SNI browsers (without SNI support - php, How to simulate non-SNI browsers (without SNI support)? - ssl Similar to openssl s_client is gnutls-cli gnutls-cli --disable-sni www.google.com  Explained : This site works only in browsers with SNI support Advertisement If you have shared host or a cloud or virtual or dedicated server or service hosting multiple domains, it is normal to face the message – This site works only in browsers with SNI support .

Similar to openssl s_client is gnutls-cli

gnutls-cli --disable-sni www.google.com

How to simulate non-SNI browsers (without SNI support)?, How to simulate non-SNI browsers (without SNI support)? - ssl Consider you have a "default" vhost which a non-SNI client will open just fine. You also have an​  Server Name Indication is an extension of the TLS protocol that allows one to host multiple SSL certificates at the same IP address. Nowadays it is pretty common and implemented in most modern browsers, but older versions may lack SNI support!

You could install Strawberry Perl and then use the following script to simulate a client not supporting SNI:

use strict;
use warnings;
use LWP::UserAgent;

my $ua = LWP::UserAgent->new(ssl_opts => {
    # this disables SNI
    SSL_hostname => '', 
    # These disable certificate verification, so that we get a connection even
    # if the certificate does not match the requested host or is invalid.
    # Do not use in production code !!!
    SSL_verify_mode => 0,
    verify_hostname => 0,
});

# request some data
my $res = $ua->get('https://example.com');

# show headers
# pseudo header Client-SSL-Cert-Subject gives information about the
# peers certificate
print $res->headers_as_string;

# show response including header
# print $res->as_string;

By setting SSL_hostname to an empty string you can disable SNI, disabling this line enables SNI again.

What happens when a browser does not support SNI, That depends on how your web server reacts when receiving a HTTPS request without SNI. (If you want to test it, you can simulate a non-SNI browser with  For such SNI bindings the ServerName header will be expected by the server. If a non-SNI capable client attempts HTTPS connection, the server will not receive the ServerName header and will not send the certificate. This will result in an SSL handshake error, and hence, HTTPS connection will not be established. Connection with SNI. Below you can see an example of an SSL connection with the ServerName header.

The approach of using a special default web application simply would not work.

You can't do that because said limited clients not just open a different page, but they fail completely.

  1. Consider you have a "default" vhost which a non-SNI client will open just fine.

  2. You also have an additional vhost which is supposed to be open by an SNI-supporting client.

  3. Obviously, these two must have different hostnames (say, default.example.com and www.example.com), else Apache or nginx wouldn't know which site to show to which connecting client.

Now, if a non-SNI client tries to open https://www.example.com, he'll be presented a certificate from default.example.com, which would give him a certificate error. This is a major caveat.

A fix for this error is to make a SAN (multi-domain) certificate that would include both www.example.com and default.example.com. Then, if a non-SNI client tries to open https://www.example.com, he'll be presented with a valid certificate, but even then his Host: header would still point to www.example.com, and his request will get routed not to default.example.com but to www.example.com.

As you can see, you either block non-SNI clients completely or forward them to an expected vhost. There's no sensible option for a default web application.

Curl disable sni, 5 is that curl supports SNI and wget does not, so for some sites wget will it won't wont How to simulate non-SNI browsers (without SNI support)? to an empty  With Qualys SSL Test I discovered that there are clients (i.e. BingBot as of december 2013) that do not support the SNI extension. So I'm thinking about crafting a special default web application that can gather the requests of such clients, but how can I simulate those clients? I'm on Windows 8, with no access to Linux boxes, if that matters.

If you are using OpenSSL 1.1.0 or earlier version, use openssl s_client -connect $ip:$port, and OpenSSL wouldn't enable the SNI extension

If you are using OpenSSL 1.1.1, you need add -noservername flag to openssl s_client.

What Is SNI? How TLS Server Name Indication Works, SNI, or Server Name Indication, is an extension for the TLS protocol to indicate a What is SNI (Server Name Indication)? Often this kind of error results in a "​Your connection is not private" error message in the user's browser. SNI Almost all browsers, operating systems, and web servers support it, with the exception of​  From your plain HTTP page, load a <script> from your destination SNI HTTPS server and if the script loads and runs correctly, you know the browser supports SNI. Cross-Domain AJAX (CORS) Similar to option 1, you could try performing a cross-domain AJAX request from the HTTP page to the HTTPS, but be aware that CORS has only limited browser support .

how to tell if SNI is causing TLS to not work (with LTE-M/NB-IoT)?, Does support SNI == require SNI == XBee not work? I'm not sure how to simulate a non-SNI connection to check that from the browser or  SNI is not supported on the server side until Java 8. The minimum Java version that Tomcat 8 has to support is Java 7 so at the moment there i no SNI support in Tomcat. It may be possible to optionally support SNI if Tomcat is running on Java 8 or later but that would need code changes in Tomcat for which

Curl disable sni, Not all SSL servers support SNI, and by forcing SNI without an option to disable it​, it won't wont How to simulate non-SNI browsers (without SNI support)? to an  But with a new technique (SNI, abbreviation for Server Name Stack Exchange Network Stack Exchange network consists of 175 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

What is SNI technology? – HelpDesk, When the names do not match, the visitor will not see your website but Browsers that support SNI will immediately communicate the name of  Server Name Indication (SNI) is the solution to this problem. Browsers that support SNI will immediately communicate the name of the website the visitor wants to connect to, during the initialization of the secured connection, so that the server knows which certificate to send back.

Comments
  • This is true for openssl releases 1.1.0* and earlier. In 1.1.1* builds, s_client sends the "server_name" extension by default (with whatever host was specified in the "-connect" parameter). If you don't want to send "server_name" in the newer version you have to turn it off with "-noservername".
  • Downvoting. The question is how to simulate requests without sni support.
  • @Wes this isn't fair because the question is also about a special default application
  • We actively use default applications and it doesn't cause an issue. The other hosts are in the subject alternative name. So you just can't do that is wrong. (though you do give your own work around) It still doesn't actually answer the question "but how can I simulate those clients" which is both the question title and the actual question in the question. (sorry hard to use correct english here)
  • Why should a single answer answer all questions from the original question? Is there a law or a rule?
  • I think your taking this too seriously. Anyway as it stands the only question asked was how to simulate the clients. I've removed the Downvote but I still feel the information is slightly misleading and B doesn't answer the only question that was asked. Actually I can't remove the downvote, I did try.