> > Try: curl https://sni.velox.ch/ -k > > You will see that SNI doesn't work with this client. > > Also see: > https://mumble.org.uk/blog/2014/03/12/gpg-and-openssl-and-curl-and-osx/
I'm a little confused... because I see that you're correct about https://sni.velox.ch in that I see an error message that my client doesn't support SNI. And yet node's SNICallback function fires and delivers the correct certificates when I connect to these sites: curl https://coolaj86.com curl https://aj.the.dj As a sanity check I made sure that I get the default service when I don't specify a name curl https://45.56.23.132 -k I wanted to sanity check, so I put a console.log right in the SNICallback in my node server and restarted it. For all 3 I see the SNICallback fire with the correct value (and the IP address gives an error and falls back to a self-made certificate for a dummy domain). Still suspicious I triple checked that I was running curl from an OS X window, not one of my sshed linux windows. Yep, it's OS X curl. curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz I decided to take a dump: sudo tcpdump -ps0 -i eth0 -w coolaj86.com.eth0.443.cap tcp port 443 https://dropsha.re/files/afraid-wolverine-84/coolaj86.com.eth0.443.cap When I open it up with vim the only plaintext I see is 'coolaj86.com', but it seems to happen later than I would expect. hexdump coolaj86.com.eth0.443.cap 0000200 00 0f 00 00 0c 63 6f 6f 6c 61 6a 38 36 2e 63 6f 0000210 6d 00 0a 00 08 00 06 00 17 00 18 00 19 00 0b 00 Examining the earlier dump I sent to you, it makes me wonder if that plaintext is part of the certificate. Stumped...
