How can I fix an issue with the SNI for an SSL request?
SNI is the abbreviation for Server Name Indication. It’s a supplementary protocol to SSL/TLS that was designed to respond to the dwindling IPv4 address availability problem. By specifying the hostname with which the client desires to establish a connection during the handshake procedure, a server can run numerous HTTPS-protected websites, each with its own SSL certificate, on the same IP address and TCP port number. To implement SNI, the SSL/TLS library must have SNI functionality.
In 2004, the Open SSL library implemented the SNI protocol. Since this library can be used at both the browser and operating system levels, certain browsers have opted not to support SNI on all operating systems.
Let’s dig a little deeper into what you need to know about Server Name Indication.
What exactly is the purpose of the TLS SNI extension?
Typically a single web server handles numerous hostnames, also known as domain names. If the websites use HTTPS, then each hostname will require its own SSL certificate.
The issue is that all of these hostnames on this server have the same IP address. The client will specify which website they wish to visit in an HTTP request as soon as a TCP connection is formed, so this is not an issue when using HTTP.
With SNI, the domain name is included in the TLS handshake so that the correct SSL certificate may be obtained and the handshake can continue smoothly and securely. In particular, the Client Hello message (the first stage of a TLS handshake) incorporates the hostname via SNI.
What happens if a user’s browser lacks SNI support?
In rare cases the user’s browser may display an error message that says, “Your connection is not private,” preventing the user from accessing the intended website. But it’s not something that happens often since nearly all browsers and operating systems support SNI. It is compatible with current browsers, and almost all other applications save for extremely ancient versions of Internet Explorer, BlackBerry OS, and other obsolete programs.
Types of SNI mismatch errors
- Hostname <IP-DNS> provided via SNI, but no hostname provided in the HTTP request.
- Hostname <IP-DNS> provided via SNI, but hostname <DNS> provided via HTTP are different.
How can I troubleshoot an issue with the SNI for an SSL request?
Fixing SNI issues requires analyzing your SSL request. To do that you need to obtain the tcpdump from your client and investigate the “Client Hello” package. Once you have the “tcpdump” command you can use it in conjunction with the following arguments to dump requests:
#tcpdump -i eth0 ‘host <Web_Server_IP>’ -w /tmp/test.pcap
You can then use Wireshark to examine all of the traffic by opening the test.pcap file. After that, you will need to set the HTTP protocol port that you employ to connect with web servers. Apply setup, and then begin investigating the “Client Hello” request that was sent.
Edit >> Preferences >> Protocols >> HTTP >> SSL/TLS Port
You will be presented with all of the request details once you click the “Client Hello” button. We must look at the “Secure Sockets Layer” tab. The Handshake Protocol will be updated to include a server name extension. This is the most important thing you need to check. You’ll need to make sure the information your request delivers to your web server is correct.