Monday, April 16, 2018

How to validate a client is sending the SNI in TLS

Almost all  modern browsers uses TLS extensions and the most common one is known as Server Name Indication

You can use the SNI field before any  TLS decryption to determine what website the client is selecting. In this example, I'm using

Various  inspections methods are available to filter on  just the  SNI  information and does not  need full TLS/SSL decryption in order to block HTTPS traffic for various sites. in fact you can  select various website to   decrypted based on HTTPS SNI  information.

So if a webclient turns off SNI, you will either need to do the following

1: place a strict deny when no SNI is present  at the client.hello


2:  perform MiTM decryption to witness the header and take action when matched

To   check if your browser does NOT  use SNI, launch a session to and if you get the   "upgrade to a modern" browser than that means you webclient does not support SNI.

e.g ( using curl with -k and without  )

here's a wireshark snippet of SNI and none-SNI


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment