SNI Enabled SAN Certificate Does Not Work on NetScaler

book

Article ID: CTX206768

calendar_today

Updated On:

Description

SNI enabled SAN certificate does not work on NetScaler. From nstrace we will see below

User-added image

Resolution

A fatal error is recorded in the network trace and this error is seen because of the following two conditions :

You send an SNI enabled request to virtual server which does not contain certificate for that domain name.
You send an SNI disabled request to virtual server which does not contain the default certificate.

Support for SNI with a SAN Extension Certificate is added from 11.0 build and onwards

Below is from the release notes of 11.0-64.34 build for your reference:

https://download.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_0_64_34.html

Support for SNI with a SAN Extension Certificate
The NetScaler appliance now supports SNI with a SAN extension certificate. During handshake initiation, the host name provided by the client is first compared to the common name and then to the subject alternative name. If the name matches, the corresponding certificate is presented to the client.
[From Build 55.20] [# 250573]

Issue/Introduction

SNI enabled SAN certificate does not work on NetScaler.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"