0

My code sample:

    import OpenSSL
    import socket

    ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
    s = socket.socket(AF_INET, SOCK_STREAM)
    connection = OpenSSL.SSL.Connection(ctx, s)
    connection.connect((str(ip), port))
    connection.setblocking(1)
    connection.do_handshake()
    chain = connection.get_peer_cert_chain()

The case is that if host has SNI extension I get an error:

[('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')]

I believe that I can overcome this using OpenSSL.SSL.Connection.set_tlsext_host_name(name), but for user hostname is unknown and I would like to connect to every available hostname.

So my question is: Is there a way to connect to host by ip and retrieve all available hostnames that provide certificates? Or is there a way to just retrieve all certificates from a SNI host?

Jacek Kozakowski
  • 3
  • 2
  • Use `s_client` to fetch the certificate at the IP address and print the DNS names in the certificate: `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Use the IP address as the SNI server name. Then, connect with the DNS name. In a hosted environment with virtual servers, this probably will not work as expected. You may have to perform a DNS reverse lookup to get the names. The reverse lookup assumes DNS is configured as expected, which may not be the case. – jww Aug 17 '16 at 21:16

1 Answers1

0

Is there a way to connect to host by ip and retrieve all available hostnames that provide certificates? Or is there a way to just retrieve all certificates from a SNI host?

None of this is possible using HTTPS. If you are lucky you can gather information about the possible hostnames somewhere on the server or by sniffing for DNS lookups which resolve to the servers IP or by using other ways to figure out which names belong to this IP address: How can I find all the domain names that resolve to one ip address?

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172