Question & Answer
Question
What is TLS SNI Server Profile on Datapower Gateways?
Answer
Server Name Indication (SNI) is an extension to the TLS networking protocol that provides a means for a TLS server to support secure connections as multiple websites or other services, with distinct credentials, over a single TCP host and port. The extension defines how the TLS client can specify the required host, and the TLS server can match this exactly, or with wildcards, to the appropriate security credentials. For more information see, Server Name Indication.
SNI support was added on the DataPower appliance for cases where the appliance acts as an TLS client or as an TLS SNI server. In the latter case, a new host name mapping provides the way to associate the host name in the TLS extension to an TLS server profile during the TLS handshake.
A TLS host name mapping contains a set of one or more maps between host names and associated TLS server profiles. Maps support wildcards for host names.
A TLS SNI server profile defines a TLS SNI server that allows the server to present the certificate that matches the client SNI request. This profile specifies:
SNI support was added on the DataPower appliance for cases where the appliance acts as an TLS client or as an TLS SNI server. In the latter case, a new host name mapping provides the way to associate the host name in the TLS extension to an TLS server profile during the TLS handshake.
A TLS host name mapping contains a set of one or more maps between host names and associated TLS server profiles. Maps support wildcards for host names.
A TLS SNI server profile defines a TLS SNI server that allows the server to present the certificate that matches the client SNI request. This profile specifies:
- TLS protocol versions to support.
- The TLS host name to map between the requested SNI host name and the associated TLS server profiles.
- A default TLS server profile to use when no SNI host name is in the client request.
- Advanced options for maximum TLS session duration and maximum number of client initiated renegotiation to allow. These settings override individual TLS server profile settings.
Note: When the configurations of the TLS SNI server profile and the mapped TLS server do not match, the TLS SNI server profile configuration is used. For example, when a TLS SNI server profile does not permit client session renegotiation but its mapped TLS server profile does, the setting from the TLS SNI server profile take precedence. Therefore, client session renegotiation is not permitted.
Common errors
It is possible for an TLS SNI Server Profile configuration to not match a TLS client request. Here are two cases:
- No host mapping match for TLS client SNI request
- No default TLS Server Profile, and no TLS client SNI specification
In both cases, the client TLS handshake fails, and the default log contains the the following messages. In this case, for an XML Firewall.
[0x8120002f][ssl][error] ssl-sni-server(TLS_SNI_Server_Profile_name): tid(15953): SSL library error: error:1412E0E2:SSL routines:ssl_parse_clienthello_tlsext:clienthello tlsext
[0x8120002f][ssl][error] ssl-sni-server(TLS_SNI_Server_Profile_name): tid(15953): SSL library error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
[0x80e00130][http][error] xmlfirewall(XML_Firewall_name): tid(15953): could not establish SSL for incoming connection
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"ARM Category":[{"code":"a8m50000000CdoNAAS","label":"DataPower-\u003ESecurity (SE)-\u003ETLS"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
29 June 2023
UID
ibm17008365