SSL Handshake Fails When Server Name Indication (SNI) is Enabled on ADC

book

Article ID: CTX230681

calendar_today

Updated On:

Description

SSL handshake fails when Server Name Indication feature is enabled on NetScaler

Server Name Indication aka SNI is an extension of the TLS protocol. For SNI to work, the server name in the client hello must match the host name configured on the back-end service that is bound to an SSL virtual server.

For example, if the host name of the backend server is www.mail.example.com, the SNI-enabled back-end service must be configured with the server name as https://www.mail.example.com, and this host name must match the server name in the client hello.

Resolution

Support for SNI on the backend service was introduced from NetScaler 11.1 version
Below is the configuration for NetScaler version 12.0.53
Upgrade NetScaler to 12.0.53.13 nc then run following command:
>set vpn parameter backendServerSni enable

Problem Cause

SNI relies on the hostname to be provided in the client hello in order to be able to answer the SSL handshake. In this case Backend server SNI is not enabled in the gateway Virtual server (which is a new feature in 12.0 53.x)

Additional Information

CTX205283 - How do I configure SNI on NetScaler ?
https://docs.citrix.com/en-us/netscaler-gateway/12/configuring-server-name-indication-extension.html

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"