Citrix ADC occasionally not sending SNI to backend server in Client Hello
Article ID: CTX463406
Updated On:
Description
When enabled server side SNI + Common Name on ADC by SSL service configuration or SSL Profile, you may sporadically find ADC not sending SNI to backend server, which may cause backend SSL handshake failure.
Resolution
Solution:
As Server not sending "Server Name" extension in Server Hello is not complying with RFC 6066
Workaround:
Disable Session reuse on services that not sending "Server Name" extension in Server Hello. ADC will send SNI in every client hello to backend server.
As Server not sending "Server Name" extension in Server Hello is not complying with RFC 6066
Workaround:
Disable Session reuse on services that not sending "Server Name" extension in Server Hello. ADC will send SNI in every client hello to backend server.
Problem Cause
In case backend server not sending "Server Name" extension in Server Hello, ADC determines the server as SNI not enabled, so later when trying to reuse the SSL session and send Client Hello, ADC will not send SNI to it.
An example as following:
Issue/Introduction
ADC will not send SNI to backend server when it doesn't following RFC 6066 to send server name extension in Server Hello.
Was this article helpful?
Yes
No
Powered by
