Creating a TLS SNI server profile

A TLS SNI server profile defines a virtual TLS server that routes inbound traffic to the TLS server profile that contains the actual key material and TLS cipher suites.

About this task

To define a TLS SNI server profile, you must specify the TLS protocol versions to support and the TLS hostname map. The TLS hostname map is known as the SNI map. When you configure a profile, you can define the following behavior.
  • The default TLS server profile to process requests when the ClientHello SNI extension is not provided.
  • The maximum duration for an established TLS session.
  • The maximum number of renegotiation attempts that a client can initiate per session.
Attention: The Protocols setting in a TLS SNI server profile defines the protocol versions available with the client before it routes to the TLS server profile. To make sure that connections are successful, review the configuration of each TLS server profile that the SNI map references. In each TLS server profile, make sure that its protocol versions are a superset of the protocol versions in the TLS SNI server profile with no newer versions. To illustrate, assume the following TLS server profiles and their defined protocol settings when the TLS SNI server profile defines versions 1.2 and 1.3.
TLS server profile with protocol versions 1.2 and 1.3
The connection is successful and negotiated with the version in the ClientHello. If the client advertises version 1.3 only, negotiated to version 1.3. If the client advertises version 1.2 only, negotiated to version 1.2. If the client advertises both version 1.2 and 1.3, negotiated to version 1.3 because it is the newest version.
TLS server profile with only protocol version 1.3
The connection is successful and negotiated with a version 1.3 cipher suite. Although the protocol versions are not an exact match, the TLS server profile has the newest of the superset in the TLS SNI server profile.
TLS server profile with only protocol version 1.2
The connection fails. Although the protocol versions are not an exact match, the TLS server profile does not have the newest of the superset in the TLS SNI server profile. In this case, the TLS SNI server profile that is already negotiated to use version 1.3 and cannot renegotiate down to version 1.2.
The following settings in a TLS SNI server profile override their equivalent settings in the TLS server profile that the SNI map references.
  • Maximum TLS session duration
  • Maximum client initiated renegotiations

To get the TLS connection, use the var://service/tls-info variable. This variable includes the SNI extension header from the client. By using this variable, you can add more checks to verify that the hostname in the client SNI extension matches the hostname in the Host header.

Procedure

  1. In the search field, enter sni.
  2. From the search results, click TLS SNI server profile.
  3. Click Add.

Define the general settings.

  1. Define the basic properties - Name, administrative state, and comments.
  2. From the Protocols list, select the protocol versions to support.
  3. From the TLS hostname map list, select the SNI map that defines the map between hostname patterns and TLS server profiles.
  4. Optional: From the Default server profile list, select the TLS server profile to process requests when the ClientHello SNI extension is not provided.
    When defined, the following rules apply.
    • When the client does not send a ClientHello SNI extension, the default server profile processes the request.
    • When the client sends a ClientHello SNI extension and it does not match a configured hostname map, the request is rejected. When rejection is not the behavior you want, define a hostname map with the * pattern.

    When not defined and the client does not send a ClientHello SNI extension, the request is rejected.

On the Advanced tab, you can define advanced TLS options.

  1. From the Advanced TLS options list, select whether to change the following options for TLS connections.
    Set maximum TLS session duration
    By default, the duration for an established TLS session is 3600 seconds.
    Set maximum number of client-initiated renegotiations
    By default, 10 client-initiated renegotiation attempts are allowed.
  2. In the Maximum TLS session duration field when the Set maximum TLS session duration option is set, specify the maximum session duration in seconds. Enter a value in the range 1 - 691200.
  3. In the Maximum client-initiated renegotiations field when the Set maximum number of client-initiated renegotiations option is set, enter the maximum number of renegotiation attempts that a client can initiate per session. Enter a value in the range 0 - 512. The value of 0 indicates that TLS client-initiated renegotiation is not allowed.
  4. Click Apply to save changes to the running configuration.
  5. Click Save to save changes to the persisted configuration.