ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

The Impact of SNI (Server Name Identification) on DevTest

book

Article ID: 41348

calendar_today

Updated On:

Products

CA Application Test Service Virtualization CA Continuous Application Insight (PathFinder)

Issue/Introduction

Issue

I have a valid certificate chain installed, but I still cannot connect to a Virtual Service using SSL.

Environment

DevTest version 8.0 or later, using a SSL enabled virtual service with valid certificates. 

Cause

Since Java SE 7, SSL connections are protected with Server Name Identification (SNI) in addition to the previous SSL protection mechanisms.

Normally, SSL connections are verified by comparing the host name presented in the connection URL with the Common Name (CN) or Alternative Name(s) that were provisioned in the certificate when it was created. 

Thus, a connection to https://myhost.mydomain.tld/index.html would only succeed if the certificate issued to myhost.mydomain.tld or had an alternative name of myhost.mydomain.tld within it.

SNI adds a further level to the host verification - it uses the server name presented within the SSL handshake and verifies that this is also one of the valid names for the certificate. 

Both the name in the URL and the server name (if different) must be present in the certificate.

The Virtual Service Environment will configure the server name based on the host name of the machine upon which it runs - this name may be seen by executing the command hostname on the command line.

For example, if a certificate was issued to server myhost.mydomain.tld with no alternative names provided, and the host name is given as myhost, then a connection to https://myhost.mydomain.tld/index.html will fail the SNI check, and therefore be denied.

If, however, the host name is configured to be myhost.mydomain.tld then the connection will succeed, and, similarly, if myhost is added to the alternative names (or the certificate issued to myhost with myhost.mydomain.tld in the alternative names) then the connection will be permitted to proceed.

Resolution

Always ensure that all names by which a host is known are included in the certificate for that machine - this includes long (FQDN) and short form names. 

Additional Information

SNI  - https://en.wikipedia.org/wiki/Server_Name_Indication

SSL Certificates - https://en.wikipedia.org/wiki/X.509

Alternative names - https://en.wikipedia.org/wiki/SubjectAltName

Environment

Release: LSASVR99000-8.1-LISA-Server
Component: