The SNI Feature of NetScaler Appliance

The SNI Feature of NetScaler Appliance

book

Article ID: CTX125798

calendar_today

Updated On:

Description

This article contains information about Server Name Identification (SNI) feature of the NetScaler appliance.

Background

The SNI feature is included starting with the NetScaler software release 9.2.
Note: The SNI feature is not supported on the back end connections. For information on how to configure Windows to accept non-SNI client connections when a forced SNI product is being used (such as ADFS) refer to How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2.

The SNI Feature of the NetScaler Appliance

Starting with NetScaler software release 9.2, you can enable the SNI feature of the appliance to host multiple domains securely on a single Secure Socket Layer (SSL) virtual server IP address. The SNI feature enables the client requesting a connection to specify the server secure domain. As a result, you need not configure multiple virtual servers to host multiple domains, listening on multiple IP addresses and port numbers.

The SNI feature enables you to bind multiple certificates to a single virtual server. This is in contrast to the wildcard certificates, which refer to subdomains within a domain and not individual domains similar to the SNI feature. However, you can specify subdomains in the SNI feature too. Internally, the NetScaler appliance parses the certificates and extracts domain names. The appliance stores these domain names in a hash table.

You can also bind the default certificates to the virtual server. The default certificate is used for the client that does not specify the domain name because some web browsers do not send the domain name. In such scenarios, the appliance responds to the client with the default certificate.

The following is the command to bind an SNI certificate to a virtual server:
bind sslvserver <VServer_Name> -certkeyname <Domain_Name> -SNICert

Refer to the following sections for more information on the SNI feature of the appliance:

Security Highlights of the SNI Feature

The following are the security highlights of the SNI feature:

  • During the SSL handshake process, an additional parameter is added to request secure domain to connect. In the earlier releases, this information was not available until the SSL handshake process is completed.
  • A secure channel is established between the client and the virtual server for each domain requested by the client.
  • After a secure channel is established, the session can be reused for requests to the same domain.
  • Session association with a domain is maintained. Cross domain sessions are not allowed on the appliance.
  • The SNI feature is similar to the vhosting feature of HTTP 1.1 except that SNI uses SSL.

Back to Top

How Does SSL Handshake Work with SNI

When a Client Hello comes with servername extension, NetScaler will match the servername through all the SNI certificates configured (only the SNI list, not the default certificate) and returns success if a match is found. If no match is found, NetScaler returns an unrecognized name message and resets the connection.

When a Client Hello comes without any servername extension, the default certificate is returned, if one is configured. If only SNI certificates are configured with no default certificate, then the SSL handshake fails and NetScaler resets the connection.

Back to Top

Configuring the SNI Feature

Refer to CTX205283 - How Do I Configure SNI on NetScaler?

Back to Top

Web Browsers Compatible with the SNI Feature

The following is a list of web browsers compatible with the SNI feature:

  • Internet Explorer 7 or later with Microsoft Vista and not with Microsoft XP operating system.
  • Mozilla Firefox 2.0 or later.
  • Opera 8.0 or later. The TLS 1.1 protocol must be enabled on this web browser.
  • Google Chrome.
  • Safari 3.2.1 with Mac OS X 10.5.6.

Back to Top

Web Servers Compatible with the SNI Feature

The following is a list of web servers compatible with the SNI feature:

  • Apache with mod_gnutls or mod_ssl.
  • Cherokee if compiled with the TLS support.
  • New versions of lighttpd 1.4.x and lighttpd 1.5.x.
  • Nginx with an accompanying OpenSSL built with SNI support.
  • Mac OS X 10.5.6.
Back to Top

Libraries Compatible with the SNI Feature

The following libraries are compatible with the SNI Feature:

  • Mozilla NSS.
  • OpenSSL. By default, the OpenSSL 0.9.8f library is not compiled to include SNI. You can use the –enable –tlsext option to include SNI. The OpenSSL 0.9.9 library is expected to be compiled to include SNI, by default.
  • GNU TLS.
  • Nginx with an accompanying OpenSSL built with the SNI support.

Note: The Internet Information Server (IIS) is not yet supported.

Back to Top

Support for SNI with a SAN Extension Certificate

Support for SNI with SAN extension is added from 11.0 build and onwards. Below is from the release notes of 11.0-64.34:
The NetScaler appliance now supports SNI with a SAN extension certificate. During handshake initiation, the host name provided by the client is first compared to the common name and then to the subject alternative name. If the name matches, the corresponding certificate is presented to the client.
[From Build 55.20] [# 250573]

Back to Top

Support for SNI in Backend

SNI is supported in the back-end from NetScaler 11.1.x 

To set SNI On SSL Service
set ssl service <service name> -snIEnable ENABLED commonName abc.com

To set SNI On SSL profile (bound to SSL Service)
set ssl profile <ssl profile name> -SNIEnable ENABLED -commonName abc.com

More details on the feature:
https://docs.citrix.com/en-us/netscaler/11-1/ssl/config-ssloffloading/support_for_sni_on_backend_service.html
 

Back to Top

Support for SNI on Receiver

From Receiver for Windows 4.6, you can use Receiver connection to NetScaler Gateway with Server Name Indication (SNI) configured, so that users can launch desktops and applications successfully without additional configuration. For more information refer to Citrix Blog - Citrix Receiver for Windows 4.6 is Available Now!

Receiver for Mac 12.7 and later also support NetScaler Gateway with Server Name Indication (SNI) configured so that users can launch desktops and applications successfully. Refer to the Receiver for Mac 12.7 Product Documentation to learn more.

Back to Top

Facts to Remember

  • The certificate which is bound without using SNICert option can be used as default certificate.
  • In case SNI is enabled on virtual server but the client has not sent SNI extension, then the NetScaler will use the default certificate.
  • Common name is mandatory for certificates bound as SNI certificates.
  • You can use wild card certificates as SNI certificates.

Back to Top

Issue/Introduction

This article contains information about Server Name Identification (SNI) feature of the NetScaler appliance.

Additional Information

CTX205283 - How Do I Configure SNI on NetScaler?

Powered by Wolken Software