TLS SNI Extension Support
Starting with Genesys Security Pack on UNIX 188.8.131.52, it’s possible to specify TLS extension server_name by setting the tls-target-name option. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which host name it is attempting to connect to at the start of the handshaking process. For related RFC, see here.
This feature requires the tls-target-name option to work correctly. For information on the tls-target-name option, refer to tls-target-name.
Client-side and server-side support
On the client side:
- Both Windows and UNIX Security Pack implementations send the server_name extension.
On the server side:
- Neither Windows nor UNIX Security Pack support this feature.
The tls-target-name setting causes the server_name extension to be sent to the server and causes the client to check this value against the subject/CN and/or SAN in the returned certificate from the server, even if connection was made using IP address instead of hostname. This check happens only if the tls-target-name-check option's value is set to host.