Server Name Indication (SNI)

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol that indicates to what host name the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served off of the same IP address without requiring all of those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS. 

Support for SNI was added to the LoadMaster feature set as of the 7.0-12 version of firmware. The addition of this feature will allow LoadMaster administrators more flexibility when configuring Virtual Services and assigning SSL certificates.

 

SNI is configurable for any Virtual Services that support HTTPS, in either an offloaded or pass-through configuration. If SSL acceleration is not enabled, the LoadMaster will take the SNI information provided by the client, and pass it along to a server when the connection is established. Alternatively, if you have enabled SSL acceleration within a Virtual Service, please assign the correct certificates to the service, in addition to enabling the Reencryption SNI hostname option. 

Not only is SNI supported within a Virtual Service, the LoadMaster also supports servers that require SNIs for their health checks. Enable HTTP/1.1 and the HTTP/1.1 Host text box will appear. In addition to those changes, ensure to set the HTTP Method to GET.

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
Stefan Klotz

It seems that the first certificate in the "Assigned Certificates" list will be used as the default one, in case SNI is not available or the included Common Name is not matching any of the assigned certificates.

Avatar
MSTeam

The setting is labelled *require* SNI whereas the article discusses it as if it were *enable* SNI. I believe the feature works without this set and the tool tip help says that setting this feature will drop connections which don't supply the SNI in the client hello message.