On 02/05/2014 09:49 PM, Thomas Glanzmann wrote: > Hello Nikos, > >> It seems that sniproxy is a viable method to multiplex [0] ocserv with >> another web server over port 443. However, it seems that openconnect >> doesn't advertise the hostname it is connecting to on the client >> hello. Would you be interested on a patch to make openconnect use >> SNI? > > I thought about the same thing last weekend and also stumbled across > sniproxy. However I would love to see sniproxy functionality be > implemented in nginx and already though about doing that. > > I also wanted to sniff if anyconnect does advertise the hostname because > currently this my main usage scenario. That would be nice to know. Given however that cisco's clients are based on very old openssl version I wouldn't bet on that. However you could rely on the fact that most browsers do use SNI so you can have the fallback to be the vpn server. regards, Nikos
