Using SNI with SSL intercept is not working in a forward proxy deployment

book

Article ID: 167120

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

SNI (Server Name Indication) is an extension of the TLS protocol, and is used by the client to indicate the hostname the client is attempting to connect to at the start of the SSL handshake. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites to be server off the same IP address without requiring all those sites to use the same certificate.

Users whose browsers (or Proxies) do not support SNI will be presented with a default certificate and hence are likely to receive certificate warnings,(or missing images or objects) unless the server is equipped with a wildcard card that matches the name of the website.

Resolution

The use of SNI was introduced in to SGOS versions 6.2. Users of older SGOS versions including 5.4 and 5.5 will need to upgrade to at least 6.2 for SNI to work properly.

6.7.4.x versions introduced SNI support for Reverse Proxy deployments. Refer to the 6.7.4.X Release Notes for more information