SAN Certificate Name Matching without SNI

0

I'm trying to get clarity on the documentation around SAN names in SSL certificates.  The documentation says "When using a Subject Alternative Name (SAN) certificate, alternate source names are not matched against the host header." but this note comes after the section describing "Require SNI hostname", and I'm not clear whether it only applies if SNI is enabled.

Should the Kemp match SAN names in my certificate against the hostname when SNI is not enabled?

My experience is that it does not, and that requests which should match the SAN certificate are being presented with a different SSL certificate which is present on the virtual service (a wildcard cert).

Thanks.

1 comment

Avatar
0
Barry Gleeson

Hi Ben,

"When using a Subject Alternative Name (SAN) certificate, alternate source names are not matched against the host header." (applies to FW <=7.1-34)

This only applies when SNI is used by the Client (This behavior may or may not be required by the Loadmaster)

a. Without SNI, the Cert is presented before any domain name is specified. (This will default to presenting the first cert on the list so could result in issues where multiple certs are used)

b. However where SNI is used by the client:

...If you have multiple Certificates assigned to a VS, when deciding which cert to present the LM looks at the SNI Hostname and presents the relevant cert. However, the LM only checks the Subject of the Cert not the alternate source names so this may result in issues where multiple certs with Subject Alternative Names are used. 

"Require SNI hostname", simply forces b. above.

 

Barry