Tuesday, August 30, 2016

SNI checks for F5 VirtualServers

Using SNI ( server name indicator )  for a virtual-server in a host web environment that requires  TLS connections , is not un-heard feature.


The combined use of layer7 host header and SNI allows for one single address to host dozens or hundred of websites. To learn more about SNI review here.

https://en.wikipedia.org/wiki/Server_Name_Indication

A quick means for testing  support  for SNI support or no-SNI ,  is to use the common  GNUtls utility gnutls-cli without or with the --disable-extensions option.

Check out a Virtual-Server that was enabled for support in the client-side-ssl profile;



In this case my way port wifi provider intercepted my request for www.wwt.com, here's a direct request to the same size without and with SNI in the initial client-ssl hello.




If you happen to  initiate a ssl-session with the SNI extension disable the end-node does not support SNI & the clientssl profile defined for the default SNI is incorrectly set for "required", you will get a  ssl fatal error.



Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


No comments:

Post a Comment