Jump to: navigation, search

TLS SNI Extension Support

Introduction

Starting with Genesys Security Pack on UNIX 8.5.100.23, it’s possible to specify TLS extension server_name by setting the tls-target-name option. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which host name it is attempting to connect to at the start of the handshaking process. For related RFC, see here.

This feature requires the tls-target-name option to work correctly. For information on the tls-target-name option, refer to tls-target-name.

Client-side and server-side support

On the client side:

  • Both Windows and UNIX Security Pack implementations send the server_name extension.
Important
Both implementations send the server_name extension all the time. However, if you do not set the tls-target-name value, then wrong server name may be sent. This issue will be fixed in future iterations.

On the server side:

  • Neither Windows nor UNIX Security Pack support this feature.

The tls-target-name setting causes the server_name extension to be sent to the server and causes the client to check this value against the subject/CN and/or SAN in the returned certificate from the server, even if connection was made using IP address instead of hostname. This check happens only if the tls-target-name-check option's value is set to host.

This page was last edited on April 13, 2020, at 18:06.
blog comments powered by Disqus