On 02/05/2014 08:49 PM, David Woodhouse wrote: >> Hello, >> It seems that sniproxy is a viable method to multiplex [0] ocserv with >> another web server over port 443. However, it seems that openconnect >> doesn't advertise the hostname it is connecting to on the client hello. >> Would you be interested on a patch to make openconnect use SNI? > As long as it doesn't offend the stupider firewalls that some people put > in front of their ASAs, sure. I've added it in: git://gitorious.org/openconnect-x/openconnect-x.git sni It is followed by two commits that will reduce the size of the client hello to compensate for the increase. One removes support for DHE-DSS (the number of DSA certificates on the Internet could be counted on the fingers of a single hand - according to an old study by SSL observatory). The other removes the OCSP status request and session ticket extensions that are not being used by openconnect. regards, Nikos
