Tuesday, August 30, 2016

SNI checks for F5 VirtualServers

Using SNI ( server name indicator )  for a virtual-server in a host web environment that requires  TLS connections , is not un-heard feature.

The combined use of layer7 host header and SNI allows for one single address to host dozens or hundred of websites. To learn more about SNI review here.


A quick means for testing  support  for SNI support or no-SNI ,  is to use the common  GNUtls utility gnutls-cli without or with the --disable-extensions option.

Check out a Virtual-Server that was enabled for support in the client-side-ssl profile;

In this case my way port wifi provider intercepted my request for www.wwt.com, here's a direct request to the same size without and with SNI in the initial client-ssl hello.

If you happen to  initiate a ssl-session with the SNI extension disable the end-node does not support SNI & the clientssl profile defined for the default SNI is incorrectly set for "required", you will get a  ssl fatal error.


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment