Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Security

Server Name Indication (SNI)

Updated

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol that indicates to what host name the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served off of the same IP address without requiring all of those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS. 

To enable Server Name Indication (SNI):

  1. In the main menu, select Virtual Services > View/Modify Services.
  2. Click the Modify button on the relevant Virtual Service.
  3. Expand the SSL Properties section.
  4. Ensure that the SSL Acceleration check box Enabled is selected.
  5. Select and Enable checkbox Require SNI hostname. 

SNI is configurable for any Virtual Services that support HTTPS, in either an offloaded or pass-through configuration. If SSL acceleration is not enabled, the LoadMaster will take the SNI information provided by the client, and pass it along to a server when the connection is established. Alternatively, if you have enabled SSL acceleration within a Virtual Service, please assign the correct certificates to the service, in addition to enabling the Reencryption SNI hostname option. 

To Enable & Configure Reencryption SNI hostname option for Server Name Indication (SNI):

  1. In the main menu, select Virtual Services > View/Modify Services.
  2. Click the Modify button on the relevant Virtual Service.
  3. Expand the SSL Properties section.
  4. Ensure that the SSL Acceleration check box for Enabled & Reencrypt is selected.
  5. Select and Enable checkbox Require SNI hostname 
  6. Insert Hostname or FQDN into Reencryption SNI hostname and select Set SNI Hostname.

The LoadMaster also supports servers that require SNIs for their health checks.

To Enable & Configure SNI health checks option for Real Servers:

  1. In the main menu, select Virtual Services > View/Modify Services.
  2. Click the Modify button on the relevant Virtual Service.Expand the Real Servers section.
  3. Select Checkbox HTTP/1.1
  4. Insert Hostname or FQDN into HTTP/1.1 Host box and select Set Host

Note. Support for SNI was added to the LoadMaster feature set as of the 7.0-12 version of firmware. The addition of this feature will allow LoadMaster administrators more flexibility when configuring Virtual Services and assigning SSL certificates.

Comments

Avatar

Stefan Klotz

It seems that the first certificate in the "Assigned Certificates" list will be used as the default one, in case SNI is not available or the included Common Name is not matching any of the assigned certificates.

0
Avatar

MS Team

The setting is labelled *require* SNI whereas the article discusses it as if it were *enable* SNI. I believe the feature works without this set and the tool tip help says that setting this feature will drop connections which don't supply the SNI in the client hello message.

0
In this document