SummaryIt is possible to specify SSL Acceleration for hosts that use Server Name Indication (SNI)
Some companies have multiple secure websites being served from a single server, on a single IP address. Previously, attempting to host multiple secure sites on a single IP address would cause certificate requests to be perceived as man-in-the-middle attacks, and the connections would be refused. With IIS 8.0, the Server Name Indication (SNI) extension has been introduced which allows a hostname or domain name to be included in SSL certificate requests.
Support for the SSL extension Server Name Indication (SNI) has been included in the Exinda appliance 6.4 firmware, allowing a client to inform the server which hostname it is trying to connect to so the server can provide a different certificate for that hostname, despite having the same IP address as other hostnames.
If using SSL acceleration on an Exinda appliance, it is recommended to add a second SSL server with the SNI extension to the configuration regardless of whether or not SNI is used on the server side. As most modern web browsers have supported SNI for some time, traffic may run into problems if it is not.
Note: Before a server with an SNI extension can be added to the Exinda appliance, the server must be added to the appliance without the SNI extension. The server without the SNI extension is used as a fallback in case the client is unable to process the SSL certificate with SNI.
A server with the same IP address and port number can be added to the appliance by specifying a unique SNI extension for each server.
- Click System > Optimization > SSL .
- In the Add SSL Acceleration Server area, type a name for the server or application you wish to enable for SSL Acceleration.
- Type the IPv4 address and the port number of the server running the SSL enabled application.
This must match the existing SSL server.
- Type the SNI extension in the field.
If you do not have an SNI extension, or do not know what it is, type the host name of the website.
- Select the Certificate to use for re-encryption of the SSL session.
The certificates available here are those that are configured in the Certificate and Key page.
- Select the Client Auth Certificate to authenticate sessions on the SSL server.
- Select the type of validation to apply to the server's certificate.
- None ÑSSL Acceleration accepts and processes the connection even if the server's SSL certificate is invalid or expired.
- Reject ÑSSL Acceleration does not process the connection if the server's SSL certificate is invalid or expired. The connection is still accelerated, but not SSL accelerated.
- Certificate ÑSSL Acceleration accepts and process the connection only if the server's certificate matches the validation certificate. Otherwise, the connection is not processed.
- If Certificate is selected as the Validation type, select the certificate to validate against.
- Click Add SSL Server.
The servers are displayed at the top of the page, where they can be edited or deleted.